Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow option to disable handling of form data for POST requests #64

Merged
merged 1 commit into from
Aug 19, 2024
Merged

Allow option to disable handling of form data for POST requests #64

merged 1 commit into from
Aug 19, 2024

Conversation

Shane32
Copy link
Owner

@Shane32 Shane32 commented Aug 19, 2024
edited
Loading

There is a CSRF security vulnerability that occurs when:

  • Cookie authentication is in use
  • The user's web browser is logged in to the vulnerable server
  • The foreign origin executes a mutation against the vulnerable server (can be done via the fetch API) and includes credentials
  • The data is sent via multipart/form-data so there is no CORS pre-flight check performed

I have personally verified that this CSRF attack can be exploited when cookie authentication is in use. This branch has a sample project that will successfully execute a cross-origin mutation against the Samples.Authentication project, even though the response fails CORS validation and so the response is not readable in the browser.

Sample javascript to perform the attack:

    async function executeGraphQLRequest(serverName, query) {
        const formData = new FormData();
        formData.append('query', query);
        const response = await fetch(`https://${serverName}/graphql`, {
            method: 'POST',
            body: formData,
            credentials: 'include', // Set the credentials option to "include"
        });
        const jsonResponse = await response.json();
        return jsonResponse;
    }
    async function runme() {
        const serverName = 'localhost:7110';
        const query = '{ helloRegisteredUser }';
        const jsonResponse = await executeGraphQLRequest(serverName, query);
        console.log(jsonResponse);
    }

See notes added to readme

We should set the new property to false for v9

@Shane32 Shane32 self-assigned this Aug 19, 2024
@github-actions GitHub Actions
Copy link

Coverage Report

Totals Coverage
Statements: 97% ( 1841 / 1898 )
Methods: 82.03% ( 283 / 345 )

@Shane32 Shane32 merged commit c67df30 into master Aug 19, 2024
4 checks passed
@Shane32 Shane32 deleted the form_post_disabling branch August 19, 2024 01:38
@coveralls
Copy link

Pull Request Test Coverage Report for Build 10445604977

Warning: This coverage report may be inaccurate.

This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.

Details

  • 9 of 9 (100.0%) changed or added relevant lines in 2 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage increased (+0.02%) to 94.538%
Totals Coverage Status
Change from base Build 10445490527: 0.02%
Covered Lines: 1841
Relevant Lines: 1898
💛 - Coveralls

@Shane32 Shane32 added this to the 5.3.0 milestone Aug 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@Shane32 Shane32

Labels
None yet
Projects
None yet
Milestone
5.3.0
Development

Successfully merging this pull request may close these issues.
2 participants
@Shane32 @coveralls