Skip to content

On main: add-mutations #74

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jordan-dr wants to merge 1 commit into
base: main
Choose a base branch
from

On main: add-mutations

71f3664
Select commit
Loading
Failed to load commit list.
Open

On main: add-mutations #74

On main: add-mutations
71f3664
Select commit
Loading
Failed to load commit list.
DryRunSecurity / IDOR Analyzer succeeded May 27, 2025 in 11s

DryRun Security

Details

IDOR Analyzer Findings: 2 detected

⚠️ Potential IDOR Vulnerability app/graphql/mutations/notifications/mark_notification_as_read.rb (click for details)
Type Potential IDOR Vulnerability
Description This code represents a potential IDOR vulnerability because it lacks user authorization checks when retrieving and modifying a notification. The mutation simply finds a notification by ID without verifying that the current user has the right to access or modify that specific notification. An attacker could potentially manipulate the notification ID to read or modify notifications belonging to other users.
Filename app/graphql/mutations/notifications/mark_notification_as_read.rb
CodeLink

rails-projects/app/graphql/mutations/notifications/mark_notification_as_read.rb

Lines 1 to 26 in 71f3664

module Mutations
module Notifications
class MarkNotificationAsRead < BaseMutation
graphql_name 'MarkNotificationAsRead'
# Input argument to indicate which notification to update.
argument :id, ID, required: true
# The response includes the updated notification and any errors.
field :notification, Types::NotificationType, null: true
field :errors, [String], null: false
def resolve(id:)
notification = Notification.find_by(id: id)
return { notification: nil, errors: ["Notification not found"] } unless notification
notification.read = true
if notification.save
{ notification: notification, errors: [] }
else
{ notification: nil, errors: notification.errors.full_messages }
end
end
end
end
end
⚠️ Potential IDOR Vulnerability app/graphql/mutations/notifications/delete_notification.rb (click for details)
Type Potential IDOR Vulnerability
Description This code represents a potential Insecure Direct Object Reference (IDOR) vulnerability because it allows deletion of a notification by ID without verifying the requester's ownership or authorization. The resolve method simply finds a notification by ID and attempts to destroy it, with no checks to ensure the current user has the right to delete that specific notification. This could allow an attacker to delete notifications belonging to other users by guessing or enumerating notification IDs.
Filename app/graphql/mutations/notifications/delete_notification.rb
CodeLink

rails-projects/app/graphql/mutations/notifications/delete_notification.rb

Lines 1 to 25 in 71f3664

module Mutations
module Notifications
class DeleteNotification < BaseMutation
graphql_name 'DeleteNotification'
# Input argument to indicate which notification to delete.
argument :id, ID, required: true
# The response indicates success and returns any errors.
field :success, Boolean, null: false
field :errors, [String], null: false
def resolve(id:)
notification = Notification.find_by(id: id)
return { success: false, errors: ["Notification not found"] } unless notification
if notification.destroy
{ success: true, errors: [] }
else
{ success: false, errors: notification.errors.full_messages }
end
end
end
end
end
View more details on DryRunSecurity