On main: markasread-mutation

[jordan-dr]

No description provided.

[dryrunsecurity]

🟡 Please give this pull request extra attention during review.

This pull request contains multiple security vulnerabilities related to the MarkNotificationAsRead mutation, specifically an Insecure Direct Object Reference (IDOR) issue that allows unauthorized users to modify notification read status without proper authentication or ownership verification.

🟡 Potential IDOR Vulnerability in app/graphql/mutations/notifications/mark_notification_as_read.rb

Vulnerability

Potential IDOR Vulnerability

Description

This is a potential IDOR vulnerability because the code does not verify the user's ownership or permission to modify the specific notification. The mutation simply finds a notification by ID and marks it as read without checking if the current user has the right to perform this action. An attacker could potentially mark any notification as read by knowing or guessing its ID, which could lead to unauthorized information access or modification.

rails-projects/app/graphql/mutations/notifications/mark_notification_as_read.rb

Lines 1 to 26 in 6b9d0fa

	module Mutations
	module Notifications
	class MarkNotificationAsRead < BaseMutation
	graphql_name 'MarkNotificationAsRead'
	# Input argument to indicate which notification to update.
	argument :id, ID, required: true
	# The response includes the updated notification and any errors.
	field :notification, Types::NotificationType, null: true
	field :errors, [String], null: false
	def resolve(id:)
	notification = Notification.find_by(id: id)
	return { notification: nil, errors: ["Notification not found"] } unless notification
	notification.read = true
	if notification.save
	{ notification: notification, errors: [] }
	else
	{ notification: nil, errors: notification.errors.full_messages }
	end
	end
	end
	end
	end

🟡 Code Policy: graphql-auth-check

Policy	graphql-auth-check
Result	The new MarkNotificationAsRead mutation bypasses authentication. While the BaseMutation class provides authorization capabilities through its authorize method, the new mutation does not implement any authentication or authorization checks. It allows direct modification of notification records without verifying the user's identity or permissions.

Insecure Direct Object Reference (IDOR) in app/graphql/mutations/notifications/mark_notification_as_read.rb

Vulnerability	Insecure Direct Object Reference (IDOR)
Description	The mutation allows marking any notification as read without verifying user ownership. By calling the mutation with any notification ID, an authenticated user can modify notifications they do not own. This occurs because the code lacks a user-specific authorization check before updating the notification's read status.

rails-projects/app/graphql/mutations/notifications/mark_notification_as_read.rb

Lines 1 to 26 in 6b9d0fa

	module Mutations
	module Notifications
	class MarkNotificationAsRead < BaseMutation
	graphql_name 'MarkNotificationAsRead'
	# Input argument to indicate which notification to update.
	argument :id, ID, required: true
	# The response includes the updated notification and any errors.
	field :notification, Types::NotificationType, null: true
	field :errors, [String], null: false
	def resolve(id:)
	notification = Notification.find_by(id: id)
	return { notification: nil, errors: ["Notification not found"] } unless notification
	notification.read = true
	if notification.save
	{ notification: notification, errors: [] }
	else
	{ notification: nil, errors: notification.errors.full_messages }
	end
	end
	end
	end
	end

---

All finding details can be found in the DryRun Security Dashboard.