Skip to content

Fix security flaw with nested fragments #256

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
sungam3r merged 3 commits into from
Jan 10, 2023
Merged

Fix security flaw with nested fragments #256

sungam3r merged 3 commits into from
Jan 10, 2023

Conversation

@Shane32
Copy link
Member

@Shane32 Shane32 commented Jan 10, 2023
edited
Loading

This targets bump but once PR #254 is merged, I can update it to target master. Or it can be merged into bump.

This fixes the security flaw where nested fragments are not processed for authentication when there are multiple operations in the document.

It should also run faster than the previous implementation, and reduces the complexity of the implementation.

@Shane32 Shane32 requested a review from sungam3r January 10, 2023 19:35
@Shane32 Shane32 self-assigned this Jan 10, 2023
@Shane32 Shane32 changed the base branch from master to bump January 10, 2023 19:35
@github-actions github-actions bot added documentation test Pull request that adds new or changes existing tests labels Jan 10, 2023
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 10, 2023
View reviewed changes
src/GraphQL.Authorization/AuthorizationValidationRule.cs
Comment on lines +51 to +52
if ((node is GraphQLOperationDefinition astType && astType == context.Operation) ||
(node is GraphQLFragmentDefinition fragment && (context.GetRecursivelyReferencedFragments(context.Operation)?.Contains(fragment) ?? false)))

Check notice

Code scanning / CodeQL

Complex condition

Complex condition: too many logical operations in this expression.
@Shane32 Shane32 changed the title Fix security flaw Fix security flaw with nested fragments Jan 10, 2023
@sungam3r
Copy link
Member

sungam3r commented Jan 10, 2023

Looks like a huge simplification.

@Shane32
Copy link
Member Author

Shane32 commented Jan 10, 2023

@sungam3r merge here or merge your pr - either way. I will be busy until late tonight.

@sungam3r sungam3r merged commit 5179bf3 into bump Jan 10, 2023
@sungam3r sungam3r deleted the fix_security_flax branch January 10, 2023 22:42
@sungam3r sungam3r mentioned this pull request Jan 10, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sungam3r sungam3r sungam3r approved these changes

Assignees

@Shane32 Shane32

Labels

documentation test Pull request that adds new or changes existing tests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Shane32 @sungam3r