Skip to content

On main: notification-mutations #75

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

On main: notification-mutations #75

wants to merge 1 commit into from

Conversation

@jordan-dr
Copy link
Contributor

No description provided.

@dryrunsecurity
Copy link

dryrunsecurity bot commented Apr 22, 2025
edited
Loading

DryRun Security

🔴 Risk threshold exceeded.

This pull request introduces multiple IDOR (Insecure Direct Object Reference) vulnerabilities in GraphQL notification mutations, allowing unauthorized users to create notifications for other users and modify notification read statuses without proper authentication checks.

⚠️ Potential IDOR Vulnerability in app/graphql/mutations/notifications/create_notification.rb
Vulnerability Potential IDOR Vulnerability
Description This is a potential IDOR (Insecure Direct Object Reference) vulnerability because the CreateNotification mutation allows specifying an arbitrary user_id without any authorization checks. This means a user could potentially create notifications for other users by manipulating the user_id parameter. The code does not implement any server-side validation to ensure that the current authenticated user has the right to create a notification for the specified user_id.

rails-projects/app/graphql/mutations/notifications/create_notification.rb

Lines 1 to 32 in 6051a36

module Mutations
module Notifications
class CreateNotification < BaseMutation
graphql_name 'CreateNotification'
# Required arguments for creating a notification.
argument :title, String, required: true
argument :body, String, required: false
argument :user_id, ID, required: true
# Fields returned by the mutation.
field :notification, Types::NotificationType, null: true
field :errors, [String], null: false
def resolve(title:, body: nil, user_id:)
notification = Notification.new(title: title, body: body, user_id: user_id)
if notification.save
{
notification: notification,
errors: []
}
else
{
notification: nil,
errors: notification.errors.full_messages
}
end
end
end
end
end

⚠️ Potential IDOR Vulnerability in app/graphql/mutations/notifications/update_notification.rb
Vulnerability Potential IDOR Vulnerability
Description This code represents a potential IDOR vulnerability because it lacks user authorization checks when retrieving and modifying a notification. The mutation simply finds a notification by ID without verifying if the current user has the right to access or modify that specific notification. An attacker could potentially manipulate the ID parameter to read or mark notifications belonging to other users.

rails-projects/app/graphql/mutations/notifications/update_notification.rb

Lines 1 to 26 in 6051a36

module Mutations
module Notifications
class MarkNotificationAsRead < BaseMutation
graphql_name 'MarkNotificationAsRead'
# Input argument to indicate which notification to update.
argument :id, ID, required: true
# The response includes the updated notification and any errors.
field :notification, Types::NotificationType, null: true
field :errors, [String], null: false
def resolve(id:)
notification = Notification.find_by(id: id)
return { notification: nil, errors: ["Notification not found"] } unless notification
notification.read = true
if notification.save
{ notification: notification, errors: [] }
else
{ notification: nil, errors: notification.errors.full_messages }
end
end
end
end
end

✨ Code Policies (1)
Policy graphql-auth-check
Result The changes introduce two new GraphQL mutations (CreateNotification and MarkNotificationAsRead) that bypass authentication. While there is a BaseMutation class with authorization capabilities through the 'authorize' method, neither mutation implements or calls this authorization mechanism. The CreateNotification mutation allows creating notifications for any user_id without verification, and MarkNotificationAsRead allows updating any notification's read status without checking ownership. Additionally, the Ability class does not define any rules for Notification resources, leaving them completely unprotected.
💭 Unconfirmed Findings (2)
Vulnerability User ID Manipulation Risk in Create Notification Mutation
Description Located in app/graphql/mutations/notifications/create_notification.rb, this vulnerability allows creating notifications for arbitrary users without proper authorization checks. The mutation accepts a user_id parameter without verifying the current user's permission to create notifications for a specific user ID.
Vulnerability Object Reference Vulnerability in Update Notification Mutation
Description Found in app/graphql/mutations/notifications/update_notification.rb, this vulnerability enables marking notifications as read without proper user authorization. The mutation does not validate whether the current user has the right to modify a specific notification, potentially allowing unauthorized notification updates.

All finding details can be found in the DryRun Security Dashboard.

@jordan-dr jordan-dr closed this May 27, 2025
@jordan-dr jordan-dr reopened this May 27, 2025
@jordan-dr jordan-dr closed this May 27, 2025
@jordan-dr jordan-dr reopened this May 27, 2025
@jordan-dr jordan-dr closed this May 27, 2025
@jordan-dr jordan-dr reopened this May 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jordan-dr