Original message:
I found an issue with security grants on on properties in the GraphQL ItemNormalizer:
If you use something like #[ApiProperty(security: 'is_granted("PROPERTY_READ", [object, property])')] on a member of an entity, the grant gets cached and is only evaluated once, even if the object in question is a different one.
There is the ApiPlatform\GraphQl\Serializer\ItemNormalizer::isCacheKeySafe() method that seems to be intended to prevent this: https://github.com/api-platform/core/blob/88f5ac50d20d6510686a7552310cc567fcca45bf/src/GraphQl/Serializer/ItemNormalizer.php#L160-L164
and in its usage on line 90 it does indeed not create a cache key, but the parent::normalize() that is called afterwards still creates the cache key and causes the issue.
Impact
It grants access to properties that it should not.
Workarounds
Override the ItemNormalizer.
Patched at: api-platform/core@7af65aa
References
ausi Reporter
alanpoulain Remediation reviewer
soyuka Remediation developer
Fafabian Analyst
Original message:
I found an issue with security grants on on properties in the GraphQL ItemNormalizer:
If you use something like
#[ApiProperty(security: 'is_granted("PROPERTY_READ", [object, property])')]on a member of an entity, the grant gets cached and is only evaluated once, even if theobjectin question is a different one.There is the
ApiPlatform\GraphQl\Serializer\ItemNormalizer::isCacheKeySafe()method that seems to be intended to prevent this: https://github.com/api-platform/core/blob/88f5ac50d20d6510686a7552310cc567fcca45bf/src/GraphQl/Serializer/ItemNormalizer.php#L160-L164and in its usage on line 90 it does indeed not create a cache key, but the
parent::normalize()that is called afterwards still creates the cache key and causes the issue.Impact
It grants access to properties that it should not.
Workarounds
Override the ItemNormalizer.
Patched at: api-platform/core@7af65aa
References