Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate user input to prevent GraphQL injection attack #2521

Closed
wants to merge 1 commit into from
Closed

Validate user input to prevent GraphQL injection attack #2521

wants to merge 1 commit into from

Conversation

jcoyne
Copy link
Contributor

@jcoyne jcoyne commented Jul 9, 2024

Fixes #2520

@jcoyne jcoyne force-pushed the prevent-injection branch from a2d10a3 to d8fda20 Compare July 9, 2024 15:16
cbeer
cbeer reviewed Jul 9, 2024
View reviewed changes
app/controllers/patron_requests_controller.rb Outdated
@@ -39,6 +39,9 @@ def current_request

def assign_new_attributes
@patron_request.assign_attributes(**new_params)
# This validation prevents an injection attack in GraphQL. Ideally, this would be a model validation,
# but there are other validations that require first running a GraphQL query.
raise ActionController::BadRequest unless /\Aa?\d+\z/.match?(new_params[:instance_hrid])
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This regex is.. starts with an a or a digit? We also have hrids that start with L, or in, and probably arbitrary now in FOLIO.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. I've updated it include those cases as well.

@jcoyne jcoyne force-pushed the prevent-injection branch from d8fda20 to 0af467c Compare July 9, 2024 15:17
@jcoyne jcoyne force-pushed the prevent-injection branch from 0af467c to 9fdf55d Compare July 9, 2024 15:19
cbeer
cbeer reviewed Jul 9, 2024
View reviewed changes
app/controllers/patron_requests_controller.rb
@@ -39,6 +39,9 @@ def current_request

def assign_new_attributes
@patron_request.assign_attributes(**new_params)
# This validation prevents an injection attack in GraphQL. Ideally, this would be a model validation,
# but there are other validations that require first running a GraphQL query.
raise ActionController::BadRequest unless /\A(a|L|in)?\d+\z/.match?(new_params[:instance_hrid])
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm pretty -0 on this. I don't know that we'll be informed when new prefixes are used in FOLIO (and, like I said in my initial comment, I believe they can be arbitrary.)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about \w+? It seems bad for people to be injecting quotes, etc.

@cbeer
Copy link
Member

cbeer commented Jul 9, 2024

Obsoleted by #2524

@cbeer cbeer closed this Jul 9, 2024
@cbeer cbeer deleted the prevent-injection branch July 9, 2024 18:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cbeer cbeer cbeer left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[sul-requests/prod] RuntimeError: Syntax Error: Unterminated string.
2 participants
@jcoyne @cbeer