Comments (22)
Access control is access control, whatever is the technology or solution for that. My point is - we don't have and we will not make separate access control for api, separate for graphql, for "oldschool solutions" etc.
from asvs.
So @elarlang I think we need to think whether we want to unify this or not. It may be that we want to mention this issue specifically for GraphQL because it is a specific problem when using GraphQL. I think we need to have a think about this.
from asvs.
Most implementations that I have seen do not have the ability to pass in a "fully-hydrated User object instead of an opaque token or API key"
Are we creating a requirement that GraphQL endpoints should not exposed to the client? I think Jim is correct in saying that this will make this requirement out-of-scope for many GraphQL implementations.
from asvs.
Current 13.4.2:
# | Description | L1 | L2 | L3 | CWE |
---|---|---|---|---|---|
13.4.2 | Verify that GraphQL or other data layer authorization logic should be implemented at the business logic layer instead of the GraphQL layer. | ✓ | ✓ | 285 |
Maybe I misinterpreted it, but I think it's more architecture requirement to say, that do not build access control to GraphQL, but use an extra business logic layer for that.
from asvs.
Ok, I understand this requirement is targeting how to implement but not necessarily what to implement. For example, the IDOR control (4.2.1) is directly relevant to REST access control. Should this standard call out basic access controls for GraphQL?
from asvs.
Not suggesting we add all of these requirements, but some sample access control requirements specific to GQL could be:
- Queries are used to only fetch data, any state changes use mutation operations
- Operation-level permissions are enforced
- Object access through operations are controlled and follow the principle of least privilege
I agree with the sentiment if we want to stay broad with access control and GraphQL, then that is already covered in access control. But there are some specific GQL access control factors that could be included in the ASVS in the API section.
from asvs.
Maybe I misinterpreted it, but I think it's more architecture requirement to say, that do not build access control to GraphQL, but use an extra business logic layer for that.
Ok, I understand this requirement is targeting how to implement but not necessarily what to implement. For example, the IDOR control (4.2.1) is directly relevant to REST access control. Should this standard call out basic access controls for GraphQL?
Isn't this true to all whether REST, GraphQL or other forms of APIs that do not build access control in the data layer authorization logic, but use an extra business logic layer for that?
I guess what I'm trying to say is if this is true, then we do not need a GraphQL-specific requirement for that unless that is really different in how GQL handles things than REST and other forms of APIs.
from asvs.
To me, it sounds like problem here is that with a REST API it is usually very clear where the trusted layer is where access control needs to be implemented.
With GraphQL, I think the concern is that there are a couple of layers and we are therefore being a little clearer about where that access control needs to be implemented.
Do you agree @craig-shony?
However, I don't think we need to talk about finer grained access control as that should be covered in a generic way in V4.
from asvs.
As a developer with experience in both REST and GraphQL, I agree that the authZ must be in the business layer in both situations. In principle the requirement is the same.
But because the nature of GraphQL is more complex than REST and developers tend to underestimate this complexity, I support having an explicit point as 13.4.2
from asvs.
What do you think about it @craig-shony? Did @aholmis drive the points that explain this requirement?
If that's the case, I think we should keep the requirement as is. Though, I think we have to add this on L1 too as it currently covers L2 and L3, @tghosth, @elarlang?
from asvs.
In the current state, I get as much value as if you said "do GraphQL securely".
If the goal is to "provide a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development" than I think it's lacking. I'm open to being out-voted though.
from asvs.
I mean I think 13.2.1 is making a specific point, not just "do it securely".
Even here, "Delegate authorization logic to the business logic layer" is the summary:
https://graphql.org/learn/authorization/
from asvs.
Thank you for clarifying, if the point of this item is to make sure you have a separate business logic layer that handles the authorization, then I would not consider that GraphQL specific.
I was reading the requirement as your business logic layer authorization should account for different access model that GraphQL enables, so I was hoping to see access control requirements appropriate to GraphQL.
from asvs.
from asvs.
That's a good point "business logic level" is not really defined, I was going the assumption that having a centralized authorization layer (still within the GraphQL service) so there's one source of truth for access rules and consistent error handling would be check the box.
from asvs.
Having said that, I think this requirement should stay as is if we don't need to modify/remove it. Don't you agree?
from asvs.
Many folks allow clients to directly access GraphQL endpoints directly. In that case the access control needs to be integrated into GraphQL itself. To force everyone to do access control "at the business logic level" for GraphQL use, shows a lack of understanding of how GraphQL is often implemented.
I am afraid @jmanico that https://graphql.org/ disagrees with you :)
https://graphql.org/learn/authorization/
I agree with @csfreak92 that this requirement should probably stay as it is
from asvs.
Are we creating a requirement that GraphQL endpoints should not exposed to the client?
That is what I tend to suggest. But do you think this is a reasonable requirement regarding the way folks realistically roll out GraphQL?
from asvs.
So my understanding was that the suggested mechanism is as follows:
flowchart LR
User((End User/
Client Appp))
GraphQL[GraphQL Layer]
Business["`Business Logic Layer (_**AuthZ applied here**_)`"]
Database[(Database)]
User -->|"Makes GraphQL queries to
pull data into the App"|GraphQL
GraphQL-->|Pulls data from|Business
Business-->|Reads data from|Database
Have I misunderstood?
from asvs.
I just suggest we set a new requirement that states that if you are going to expose graphQL endpoints directly to the client, then you need to implement fine grain access control within graphQL resolvers. I'm not sure if you consider this business logic layer or not, but that is where they belong IMO.
from asvs.
And Josh, I think it would be helpful if both of us stop using the term business logic for this discussion and be more specific about the location in the architecture we are referring to.
Also, when you're using GraphQL on the backend like a traditional database - the way you do authorization security is typically different than when exposing GraphQL to the client directly.
The fact that so many people expose graphQL directly to the client is why this discussion is so much more complicated than a traditional database architecture.
from asvs.
Related Issues (20)
- Most recent artifacts HOT 3
- Warnings on github actions HOT 3
- `install-unx.sh` intermittent failure
- 1.2.2 "User Account" is troubling HOT 3
- 1.2.5 HOT 1
- 2.2.11 HOT 1
- 2.3.1 seems weak HOT 1
- 13.5.3 rate limiting should apply to all APIs HOT 8
- client should not send longer request headers than server can accept HOT 6
- new V5 section for architecture requirements HOT 2
- Requesting Clarifying Definition in the Business Logic Section Header HOT 3
- Something amiss in requirement description for v5.0-50.5.3 HOT 4
- lowercase vs uppercase grammar (original: 6.2.1 causes capitalization inconsistency) HOT 13
- 5.1.1 - terminology, GET and POST... HOT 14
- clarifying 5.1.3 HOT 9
- Should easily visible logout functionality be a requirement or a recomendation HOT 15
- Tracking supporters HOT 6
- V9 rework - 9.2.5 has insufficient value HOT 5
- 2.10.5 (v4.0.3-9.2.3) - belongs in authentication (needs improvement and scope check) HOT 15
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from asvs.