labml icon indicating copy to clipboard operation
labml copied to clipboard
verified publisher icon labmlai

Check Graphql end-point for vulnerabilities

Open palexvs opened this issue 2 years ago • 1 comments

Looks like Brakeman does not check Graphql Mutations and Resolvers for potential vulnerabilities

Example:

# app/graphql/resolvers/user.rb

class Resolvers::User < Resolvers::Base
  argument :id, Integer, required: true

  def resolve(**args)
      User.find(id: args[:id])
...
    end
  end
end

I would expect to get UnscopedFind warning but got nothing

Brakeman version: 6.1.2
Rails version: 7.0.8.1
Ruby version: 3.2.2
``

palexvs avatar Feb 29 '24 22:02 palexvs

UnscopedFind is an optional check, because it is pretty noisy and has a lot of false positives. Assuming you are running this check (e.g. with -A or --run-all-checks)...

Brakeman only warns about unscoped finds if there is a reason to think the find could/should be scoped. In practice, this means models with a belongs_to relationship. Usually User does not belong to another model.

If I'm incorrect in my guess about User and it does have belongs_to: in it, let me know.

presidentbeef avatar Mar 11 '24 06:03 presidentbeef