Original message:
I found an issue with security grants on on properties in the GraphQL ItemNormalizer:
If you use something like #[ApiProperty(security: 'is_granted("PROPERTY_READ", [object, property])')] on a member of an entity, the grant gets cached and is only evaluated once, even if the object in question is a different one.
There is the ApiPlatform\GraphQl\Serializer\ItemNormalizer::isCacheKeySafe() method that seems to be intended to prevent this:
|
/** |
|
* Check if any property contains a security grants, which makes the cache key not safe, |
|
* as allowed_properties can differ for 2 instances of the same object. |
|
*/ |
|
private function isCacheKeySafe(array $context): bool |
and in its usage on line 90 it does indeed not create a cache key, but the
parent::normalize() that is called afterwards still creates the cache key and causes the issue.
Impact
It grants access to properties that it should not.
Workarounds
Override the ItemNormalizer.
Patched at: 7af65aa
ausi Reporter
alanpoulain Remediation reviewer
soyuka Remediation developer
Original message:
I found an issue with security grants on on properties in the GraphQL ItemNormalizer:
If you use something like
#[ApiProperty(security: 'is_granted("PROPERTY_READ", [object, property])')]on a member of an entity, the grant gets cached and is only evaluated once, even if theobjectin question is a different one.There is the
ApiPlatform\GraphQl\Serializer\ItemNormalizer::isCacheKeySafe()method that seems to be intended to prevent this:core/src/GraphQl/Serializer/ItemNormalizer.php
Lines 160 to 164 in 88f5ac5
and in its usage on line 90 it does indeed not create a cache key, but the
parent::normalize()that is called afterwards still creates the cache key and causes the issue.Impact
It grants access to properties that it should not.
Workarounds
Override the ItemNormalizer.
Patched at: 7af65aa