drupal-graphql/graphql

Graphql Examples module allows anonymous users to view unpublished content

klausi opened this issue · 0 comments

Originally reported by bander2 to the Drupal security team, but it was decided to make this issue public as it only affects the Example module.

This module has an access bypass vulnerability.

You can see this vulnerability by:

  1. Enabling the module and the "GraphQL examples" module (version 8.x-4.4)
  2. Create a graphql server by going to /admin/config/graphql/servers/create and selecting "Example schema" for the schema. The label and endpoint don't matter, but lets pick "Example" and /graphql so we are on the same page. Use defaults for everything else.
  3. Create 2 articles, one published and one unpublished
  4. Give the anonymouse role the "execute example arbitrary graphql requests" permission but not permissions to view unpublished content (i think this would be a user without "administer nodes" or "bypass node acess" permissions), perform the following graphql request:
curl -g \
-X POST \
-H "Content-Type: application/json" \
-d '{"query":"query MyQuery {articles {items{ title }}}"}' \
http://localhost/graphql

You will be able to see the title of both the published and unpublished articles.