blocking test

[jordan-dr]

No description provided.

[dryrunsecurity]

🔴 Risk threshold exceeded.

This pull request introduces two critical security vulnerabilities: hardcoded database credentials that could enable unauthorized access, and a GraphQL authorization bypass that allows unrestricted access to all mutations by unconditionally returning true in the base authentication method.

✨ Code Policies (2)

Policy	hardcoded-creds
Result	The configuration change includes a hard-coded password value "lsjdfa8u4uqf" directly in the database configuration file, which is a security risk. Guidance: refer issues to the security team

Policy

graphql-auth-check

Result

The change explicitly modifies the authorized? method in BaseMutation to always return true. Since this is the base class that all GraphQL mutations inherit from (as confirmed by checking delete_user.rb which inherits from BaseMutation), this means ALL GraphQL mutations will bypass authentication checks. The authorized? method is a standard GraphQL authorization hook that should perform actual authentication checks, but this change makes it return true unconditionally.

💭 Unconfirmed Findings (2)

Vulnerability	Authorization Bypass in GraphQL Mutations
Description	Critical vulnerability in app/graphql/mutations/base_mutation.rb where the authorize method unconditionally returns true, effectively disabling all authorization checks and allowing unrestricted access to all resources for mutations inheriting from BaseMutation.

Vulnerability	Hardcoded Database Credentials
Description	Security risk in config/database.yml where sensitive database password is directly embedded in the configuration file, potentially exposing credentials and enabling unauthorized database access if the file is compromised.

---

All finding details can be found in the DryRun Security Dashboard.