Skip to content

On main: rename-notification-mutations #90

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

On main: rename-notification-mutations #90

wants to merge 1 commit into from

Conversation

@jordan-dr
Copy link
Contributor

@jordan-dr jordan-dr commented Jun 18, 2025

No description provided.

@dryrunsecurity
Copy link

dryrunsecurity bot commented Jun 18, 2025

DryRun Security

🟡 Please give this pull request extra attention during review.

This pull request introduces multiple Insecure Direct Object Reference (IDOR) vulnerabilities in notification-related GraphQL mutations, allowing unauthorized users to create, access, and modify notifications for other users without proper authentication or authorization checks.

🟡 Potential IDOR Vulnerability in app/graphql/mutations/notifications/create_notification.rb
Vulnerability Potential IDOR Vulnerability
Description This code represents a potential Insecure Direct Object Reference (IDOR) vulnerability in a GraphQL mutation for creating notifications. The mutation accepts a user_id parameter without performing any authorization checks, which means a user could potentially create notifications for any user ID they specify. This allows for potential impersonation and unauthorized notification creation. The lack of server-side validation to ensure the current authenticated user has permission to create notifications for the specified user_id is the core security concern.

rails-projects/app/graphql/mutations/notifications/create_notification.rb

Lines 1 to 32 in 4230c85

module Mutations
module Notifications
class CreateNotification < BaseMutation
graphql_name 'CreateNotification'
# Required arguments for creating a notification.
argument :title, String, required: true
argument :body, String, required: false
argument :user_id, ID, required: true
# Fields returned by the mutation.
field :notification, Types::NotificationType, null: true
field :errors, [String], null: false
def resolve(title:, body: nil, user_id:)
notification = Notification.new(title: title, body: body, user_id: user_id)
if notification.save
{
notification: notification,
errors: []
}
else
{
notification: nil,
errors: notification.errors.full_messages
}
end
end
end
end
end

🟡 Potential IDOR Vulnerability in app/graphql/mutations/notifications/update_notification.rb
Vulnerability Potential IDOR Vulnerability
Description This is a true IDOR vulnerability because the mutation allows retrieving and modifying a notification by its ID without verifying the current user's ownership or access rights. The code simply finds a notification by ID and marks it as read, with no authorization check to ensure the user has permission to perform this action. An attacker could potentially modify or access notifications belonging to other users by guessing or enumerating notification IDs.

rails-projects/app/graphql/mutations/notifications/update_notification.rb

Lines 1 to 26 in 4230c85

module Mutations
module Notifications
class MarkNotificationAsRead < BaseMutation
graphql_name 'MarkNotificationAsRead'
# Input argument to indicate which notification to update.
argument :id, ID, required: true
# The response includes the updated notification and any errors.
field :notification, Types::NotificationType, null: true
field :errors, [String], null: false
def resolve(id:)
notification = Notification.find_by(id: id)
return { notification: nil, errors: ["Notification not found"] } unless notification
notification.read = true
if notification.save
{ notification: notification, errors: [] }
else
{ notification: nil, errors: notification.errors.full_messages }
end
end
end
end
end

🟡 Code Policy: graphql-auth-check
Policy graphql-auth-check
Result The changes bypass authentication by not implementing any authentication checks. Both mutations (CreateNotification and MarkNotificationAsRead) allow direct access to notification operations without verifying the user's identity. While BaseMutation provides an 'authorize' method for implementing authorization checks, neither mutation utilizes it, effectively allowing unauthenticated access to create and update notifications.
Insecure Direct Object Reference (IDOR) in app/graphql/mutations/notifications/update_notification.rb
Vulnerability Insecure Direct Object Reference (IDOR)
Description The mutation allows marking any notification as read without verifying the user's ownership or permissions. An attacker could potentially mark notifications belonging to other users by providing their IDs. To resolve this, add an authorization check to ensure only the notification's owner or a user with appropriate permissions can mark a specific notification as read.

rails-projects/app/graphql/mutations/notifications/update_notification.rb

Lines 1 to 26 in 4230c85

module Mutations
module Notifications
class MarkNotificationAsRead < BaseMutation
graphql_name 'MarkNotificationAsRead'
# Input argument to indicate which notification to update.
argument :id, ID, required: true
# The response includes the updated notification and any errors.
field :notification, Types::NotificationType, null: true
field :errors, [String], null: false
def resolve(id:)
notification = Notification.find_by(id: id)
return { notification: nil, errors: ["Notification not found"] } unless notification
notification.read = true
if notification.save
{ notification: notification, errors: [] }
else
{ notification: nil, errors: notification.errors.full_messages }
end
end
end
end
end

Insecure Direct Object Reference (IDOR) in app/graphql/mutations/notifications/create_notification.rb
Vulnerability Insecure Direct Object Reference (IDOR)
Description The mutation allows creating notifications for any user ID without proper authorization checks. An attacker could potentially create notifications for arbitrary users by manipulating the user_id parameter in the GraphQL request. To mitigate this, implement strict authorization checks to ensure the current user can only create notifications for themselves or has explicit permission to create notifications for other users.

rails-projects/app/graphql/mutations/notifications/create_notification.rb

Lines 1 to 32 in 4230c85

module Mutations
module Notifications
class CreateNotification < BaseMutation
graphql_name 'CreateNotification'
# Required arguments for creating a notification.
argument :title, String, required: true
argument :body, String, required: false
argument :user_id, ID, required: true
# Fields returned by the mutation.
field :notification, Types::NotificationType, null: true
field :errors, [String], null: false
def resolve(title:, body: nil, user_id:)
notification = Notification.new(title: title, body: body, user_id: user_id)
if notification.save
{
notification: notification,
errors: []
}
else
{
notification: nil,
errors: notification.errors.full_messages
}
end
end
end
end
end

All finding details can be found in the DryRun Security Dashboard.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jordan-dr