On main: notification-mutations

[jordan-dr]

No description provided.

[dryrunsecurity]

🟡 Please give this pull request extra attention during review.

This pull request contains two potential IDOR (Insecure Direct Object Reference) vulnerabilities in notification-related mutations, where users could potentially mark notifications as read or create notifications for other users without proper authorization checks.

🟡 Potential IDOR Vulnerability in app/graphql/mutations/notifications/update_notification.rb

Vulnerability

Potential IDOR Vulnerability

Description

This is a potential IDOR vulnerability because the mutation allows marking a notification as read using only its ID without verifying the current user's ownership or access rights. The code does not implement any user authorization check before performing the action, which means a malicious user could potentially mark notifications belonging to other users as read by guessing or enumerating notification IDs.

rails-projects/app/graphql/mutations/notifications/update_notification.rb

Lines 1 to 26 in 692c637

	module Mutations
	module Notifications
	class MarkNotificationAsRead < BaseMutation
	graphql_name 'MarkNotificationAsRead'
	# Input argument to indicate which notification to update.
	argument :id, ID, required: true
	# The response includes the updated notification and any errors.
	field :notification, Types::NotificationType, null: true
	field :errors, [String], null: false
	def resolve(id:)
	notification = Notification.find_by(id: id)
	return { notification: nil, errors: ["Notification not found"] } unless notification
	notification.read = true
	if notification.save
	{ notification: notification, errors: [] }
	else
	{ notification: nil, errors: notification.errors.full_messages }
	end
	end
	end
	end
	end

🟡 Potential IDOR Vulnerability in app/graphql/mutations/notifications/create_notification.rb

Vulnerability

Potential IDOR Vulnerability

Description

This is a true IDOR (Insecure Direct Object Reference) vulnerability. The mutation allows creating a notification for any user_id without performing authorization checks to verify that the current user has the right to create a notification for the specified user. This means a malicious user could potentially create notifications impersonating other users by manipulating the user_id parameter during the GraphQL mutation call.

rails-projects/app/graphql/mutations/notifications/create_notification.rb

Lines 1 to 32 in 692c637

	module Mutations
	module Notifications
	class CreateNotification < BaseMutation
	graphql_name 'CreateNotification'
	# Required arguments for creating a notification.
	argument :title, String, required: true
	argument :body, String, required: false
	argument :user_id, ID, required: true
	# Fields returned by the mutation.
	field :notification, Types::NotificationType, null: true
	field :errors, [String], null: false
	def resolve(title:, body: nil, user_id:)
	notification = Notification.new(title: title, body: body, user_id: user_id)
	if notification.save
	{
	notification: notification,
	errors: []
	}
	else
	{
	notification: nil,
	errors: notification.errors.full_messages
	}
	end
	end
	end
	end
	end

---

All finding details can be found in the DryRun Security Dashboard.