graphql icon indicating copy to clipboard operation
graphql copied to clipboard
verified publisher icon t3n

DefaultFieldResolver: callback through ObjectAccess vulnerability

Open simstern opened this issue 4 years ago • 4 comments

When using the DefaultFieldResolver there is the following risk:

Resolving an object through the "magic" ObjectAccess returning a property value that is callable, the resolver will call this function.

        if (is_object($source) && ObjectAccess::isPropertyGettable($source, $fieldName)) {
            $resolvedProperty = ObjectAccess::getProperty($source, $fieldName);
        }

        if (is_callable($resolvedProperty)) {
            return $resolvedProperty($source, $args, $context, $info);
        }

I noticed this when working with a user with firstName "Max". I do not have a specific resolver for User.

So, first the DefaultFieldResolver gets the firstName property from the User object through ObjectAccess::getProperty and assignes $resolvedProperty = 'Max'. Since Max is callable, this is executed.

This is quite risky when working with user input. Possibly only support Closures here?

simstern avatar Feb 15 '21 16:02 simstern

@johannessteu do you know how to solve this in the best & secure way?

Sebobo avatar Oct 14 '21 15:10 Sebobo

I came across this today as well, in my case a company with name "Tan" caused the Resolver to try to call tan().

DrillSergeant avatar Oct 14 '21 22:10 DrillSergeant

Just sumitted this PR: https://github.com/t3n/graphql/pull/38 It works for me for quite some time now.

simstern avatar Oct 18 '21 08:10 simstern

This is indeed risky and probably (for most people) unexpected. Limiting the call to Closure values as in the suggested PR sounds reasonable to me… does that match the intention of the DefaultFieldResolver behaviour, @johannessteu?

kdambekalns avatar Oct 26 '21 09:10 kdambekalns