On main: rename-notification-mutations by jordan-dr · Pull Request #90 · DryRunSecurity/rails-projects
🟡 Please give this pull request extra attention during review.
This pull request introduces multiple Insecure Direct Object Reference (IDOR) vulnerabilities in notification-related GraphQL mutations, allowing unauthorized users to create, access, and modify notifications for other users without proper authentication or authorization checks.
🟡 Potential IDOR Vulnerability in app/graphql/mutations/notifications/create_notification.rb
| Vulnerability |
Potential IDOR Vulnerability |
| Description |
This code represents a potential Insecure Direct Object Reference (IDOR) vulnerability in a GraphQL mutation for creating notifications. The mutation accepts a user_id parameter without performing any authorization checks, which means a user could potentially create notifications for any user ID they specify. This allows for potential impersonation and unauthorized notification creation. The lack of server-side validation to ensure the current authenticated user has permission to create notifications for the specified user_id is the core security concern. |
|
module Mutations |
|
module Notifications |
|
class CreateNotification < BaseMutation |
|
graphql_name 'CreateNotification' |
|
|
|
# Required arguments for creating a notification. |
|
argument :title, String, required: true |
|
argument :body, String, required: false |
|
argument :user_id, ID, required: true |
|
|
|
# Fields returned by the mutation. |
|
field :notification, Types::NotificationType, null: true |
|
field :errors, [String], null: false |
|
|
|
def resolve(title:, body: nil, user_id:) |
|
notification = Notification.new(title: title, body: body, user_id: user_id) |
|
|
|
if notification.save |
|
{ |
|
notification: notification, |
|
errors: [] |
|
} |
|
else |
|
{ |
|
notification: nil, |
|
errors: notification.errors.full_messages |
|
} |
|
end |
|
end |
|
end |
|
end |
|
end |
🟡 Potential IDOR Vulnerability in app/graphql/mutations/notifications/update_notification.rb
| Vulnerability |
Potential IDOR Vulnerability |
| Description |
This is a true IDOR vulnerability because the mutation allows retrieving and modifying a notification by its ID without verifying the current user's ownership or access rights. The code simply finds a notification by ID and marks it as read, with no authorization check to ensure the user has permission to perform this action. An attacker could potentially modify or access notifications belonging to other users by guessing or enumerating notification IDs. |
|
module Mutations |
|
module Notifications |
|
class MarkNotificationAsRead < BaseMutation |
|
graphql_name 'MarkNotificationAsRead' |
|
|
|
# Input argument to indicate which notification to update. |
|
argument :id, ID, required: true |
|
|
|
# The response includes the updated notification and any errors. |
|
field :notification, Types::NotificationType, null: true |
|
field :errors, [String], null: false |
|
|
|
def resolve(id:) |
|
notification = Notification.find_by(id: id) |
|
return { notification: nil, errors: ["Notification not found"] } unless notification |
|
|
|
notification.read = true |
|
if notification.save |
|
{ notification: notification, errors: [] } |
|
else |
|
{ notification: nil, errors: notification.errors.full_messages } |
|
end |
|
end |
|
end |
|
end |
|
end |
🟡 Code Policy: graphql-auth-check
| Policy |
graphql-auth-check |
| Result |
The changes bypass authentication by not implementing any authentication checks. Both mutations (CreateNotification and MarkNotificationAsRead) allow direct access to notification operations without verifying the user's identity. While BaseMutation provides an 'authorize' method for implementing authorization checks, neither mutation utilizes it, effectively allowing unauthenticated access to create and update notifications. |
Insecure Direct Object Reference (IDOR) in app/graphql/mutations/notifications/update_notification.rb
| Vulnerability |
Insecure Direct Object Reference (IDOR) |
| Description |
The mutation allows marking any notification as read without verifying the user's ownership or permissions. An attacker could potentially mark notifications belonging to other users by providing their IDs. To resolve this, add an authorization check to ensure only the notification's owner or a user with appropriate permissions can mark a specific notification as read. |
|
module Mutations |
|
module Notifications |
|
class MarkNotificationAsRead < BaseMutation |
|
graphql_name 'MarkNotificationAsRead' |
|
|
|
# Input argument to indicate which notification to update. |
|
argument :id, ID, required: true |
|
|
|
# The response includes the updated notification and any errors. |
|
field :notification, Types::NotificationType, null: true |
|
field :errors, [String], null: false |
|
|
|
def resolve(id:) |
|
notification = Notification.find_by(id: id) |
|
return { notification: nil, errors: ["Notification not found"] } unless notification |
|
|
|
notification.read = true |
|
if notification.save |
|
{ notification: notification, errors: [] } |
|
else |
|
{ notification: nil, errors: notification.errors.full_messages } |
|
end |
|
end |
|
end |
|
end |
|
end |
Insecure Direct Object Reference (IDOR) in app/graphql/mutations/notifications/create_notification.rb
| Vulnerability |
Insecure Direct Object Reference (IDOR) |
| Description |
The mutation allows creating notifications for any user ID without proper authorization checks. An attacker could potentially create notifications for arbitrary users by manipulating the user_id parameter in the GraphQL request. To mitigate this, implement strict authorization checks to ensure the current user can only create notifications for themselves or has explicit permission to create notifications for other users. |
|
module Mutations |
|
module Notifications |
|
class CreateNotification < BaseMutation |
|
graphql_name 'CreateNotification' |
|
|
|
# Required arguments for creating a notification. |
|
argument :title, String, required: true |
|
argument :body, String, required: false |
|
argument :user_id, ID, required: true |
|
|
|
# Fields returned by the mutation. |
|
field :notification, Types::NotificationType, null: true |
|
field :errors, [String], null: false |
|
|
|
def resolve(title:, body: nil, user_id:) |
|
notification = Notification.new(title: title, body: body, user_id: user_id) |
|
|
|
if notification.save |
|
{ |
|
notification: notification, |
|
errors: [] |
|
} |
|
else |
|
{ |
|
notification: nil, |
|
errors: notification.errors.full_messages |
|
} |
|
end |
|
end |
|
end |
|
end |
|
end |
All finding details can be found in the DryRun Security Dashboard.
