Skip to content

On main: notification-mutations #75

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jordan-dr wants to merge 1 commit into
base: main
Choose a base branch
from

On main: notification-mutations

6051a36
Select commit
Loading
Failed to load commit list.
Open

On main: notification-mutations #75

On main: notification-mutations
6051a36
Select commit
Loading
Failed to load commit list.
DryRunSecurity / IDOR Analyzer succeeded May 27, 2025 in 1s

DryRun Security

Details

IDOR Analyzer Findings: 2 detected

⚠️ Potential IDOR Vulnerability app/graphql/mutations/notifications/create_notification.rb (click for details)
Type Potential IDOR Vulnerability
Description This is a potential IDOR (Insecure Direct Object Reference) vulnerability because the CreateNotification mutation allows specifying an arbitrary user_id without any authorization checks. This means a user could potentially create notifications for other users by manipulating the user_id parameter. The code does not implement any server-side validation to ensure that the current authenticated user has the right to create a notification for the specified user_id.
Filename app/graphql/mutations/notifications/create_notification.rb
CodeLink

rails-projects/app/graphql/mutations/notifications/create_notification.rb

Lines 1 to 32 in 6051a36

module Mutations
module Notifications
class CreateNotification < BaseMutation
graphql_name 'CreateNotification'
# Required arguments for creating a notification.
argument :title, String, required: true
argument :body, String, required: false
argument :user_id, ID, required: true
# Fields returned by the mutation.
field :notification, Types::NotificationType, null: true
field :errors, [String], null: false
def resolve(title:, body: nil, user_id:)
notification = Notification.new(title: title, body: body, user_id: user_id)
if notification.save
{
notification: notification,
errors: []
}
else
{
notification: nil,
errors: notification.errors.full_messages
}
end
end
end
end
end
⚠️ Potential IDOR Vulnerability app/graphql/mutations/notifications/update_notification.rb (click for details)
Type Potential IDOR Vulnerability
Description This code represents a potential IDOR vulnerability because it lacks user authorization checks when retrieving and modifying a notification. The mutation simply finds a notification by ID without verifying if the current user has the right to access or modify that specific notification. An attacker could potentially manipulate the ID parameter to read or mark notifications belonging to other users.
Filename app/graphql/mutations/notifications/update_notification.rb
CodeLink

rails-projects/app/graphql/mutations/notifications/update_notification.rb

Lines 1 to 26 in 6051a36

module Mutations
module Notifications
class MarkNotificationAsRead < BaseMutation
graphql_name 'MarkNotificationAsRead'
# Input argument to indicate which notification to update.
argument :id, ID, required: true
# The response includes the updated notification and any errors.
field :notification, Types::NotificationType, null: true
field :errors, [String], null: false
def resolve(id:)
notification = Notification.find_by(id: id)
return { notification: nil, errors: ["Notification not found"] } unless notification
notification.read = true
if notification.save
{ notification: notification, errors: [] }
else
{ notification: nil, errors: notification.errors.full_messages }
end
end
end
end
end
View more details on DryRunSecurity