Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enforce content type for POST requests #689

Merged
merged 2 commits into from
May 8, 2019

Conversation

tgwizard
Copy link
Contributor

Currently, the gqlgen HTTP handler doesn't look at the request Content-Type header, but just assumes that the request is JSON.

This opens up for a CSRF vulnerability. Servers that accept only application/json usually don't need to care about CSRF if they've disabled CORS, since HTML forms on other pages cannot submit data with application/json content type. However, currently, a HTML form on another site can submit a text/plain request but with a valid JSON body, and the gqlgen server will happily accept it. If the service does auth through cookies, this can be dangerous.

This PR validates the request Content-Type header, similarly to how express-graphql does it: https://github.com/graphql/express-graphql/blob/1eeaa141b5419834c11872741d9c5d12cfa227c3/src/parseBody.js#L51-L59. express-graphql supports application/x-www-form-urlencoded and application/graphql too though, which we could if we wanted.

This PR shouldn't break well-behaving clients, but it definitely could. We could add a config option AllowedContentTypes, where the server could specify which content types it allows. The default (nil/empty slice) could be to support all content types, maintaining backwards compatibility but continuing the slightly weird behaviour, or the default could be to allow "all supported content types", which could mean the application/x-www-form-urlencoded and application/graphql in the future too.

What do you think?

I have:

  • Added tests covering the bug / feature (see testing)
  • Updated any relevant documentation (see docs)

@tgwizard tgwizard force-pushed the enforce-request-content-type branch from 4349786 to f7d0b9c Compare April 24, 2019 08:33
@vektah vektah merged commit e49d44f into 99designs:master May 8, 2019
@vektah
Copy link
Collaborator

vektah commented May 8, 2019

supports application/x-www-form-urlencoded and application/graphql too though, which we could if we wanted.

Hmm, Maybe I've actually broken this in the rebase. #655 adds support for multipart forms. Can I get a sanity check before I cut a release?

This PR shouldn't break well-behaving clients, but it definitely could.

Lets make it very clear in the release notes. Between this and the complexity changes we probably should flag this as 0.9, they both have a decent chance to ruin someones day.

@vektah vektah added the BC break label May 8, 2019
@tgwizard
Copy link
Contributor Author

Oh, sorry, I didn't realize this was merged. The changes look good to me after the rebase too.

@vektah vektah added the v0.9 Fixed in 0.9.0 label May 15, 2019
cgxxv pushed a commit to cgxxv/gqlgen that referenced this pull request Mar 25, 2022
…t-type

Enforce content type for POST requests
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
BC break v0.9 Fixed in 0.9.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants