Skip to content

fix(deps): update dependency api-platform/core to v3.4.17 [security]#7168

Merged
renovate[bot] merged 1 commit intodevelfrom
renovate/packagist-api-platform-core-vulnerability
Apr 11, 2025
Merged

fix(deps): update dependency api-platform/core to v3.4.17 [security]#7168
renovate[bot] merged 1 commit intodevelfrom
renovate/packagist-api-platform-core-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Apr 4, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
api-platform/core (source) 3.4.16 -> 3.4.17 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2025-31485

Original message:

I found an issue with security grants on on properties in the GraphQL ItemNormalizer:

If you use something like #[ApiProperty(security: 'is_granted("PROPERTY_READ", [object, property])')] on a member of an entity, the grant gets cached and is only evaluated once, even if the object in question is a different one.

There is the ApiPlatform\GraphQl\Serializer\ItemNormalizer::isCacheKeySafe() method that seems to be intended to prevent this: https://github.com/api-platform/core/blob/88f5ac50d20d6510686a7552310cc567fcca45bf/src/GraphQl/Serializer/ItemNormalizer.php#L160-L164
and in its usage on line 90 it does indeed not create a cache key, but the parent::normalize() that is called afterwards still creates the cache key and causes the issue.

Impact

It grants access to properties that it should not.

Workarounds

Override the ItemNormalizer.

Patched at: api-platform/core@7af65aa

CVE-2025-31481

Summary

Using the Relay special node type you can bypass the configured security on an operation.

Details

Here is an example of how to apply security configurations for the GraphQL operations:

#[ApiResource(
    security: "is_granted('ROLE_USER')",
    operations: [ /* ... */ ],
    graphQlOperations: [
        new Query(security: "is_granted('ROLE_USER')"),
        //...
    ],
)]
class Book { /* ... */ }

This indeed checks is_granted('ROLE_USER') as expected for a GraphQL query like the following:

‌query {
    book(id: "/books/1") {
        title
    }
}

But the security check can be bypassed by using the node field (that is available by default) on the root query type like that:

‌query {
    node(id: "/books/1") {
        ... on Book {
            title
        }
    }
}

This does not execute any security checks and can therefore be used to access any entity without restrictions by everyone that has access to the API.

Impact

Everyone using GraphQl with the security attribute. Not sure whereas this works with custom resolvers nor if this also applies on mutation.

Patched at api-platform/core@60747cc

Release Notes

api-platform/core (api-platform/core)

v3.4.17

Compare Source

Exceptional release as 3.4 is not maintained anymore, this resolves our recent security issues:

GHSA-cg3c-245w-728m
GHSA-428q-q3vv-3fq3

What's Changed

Full Changelog: api-platform/core@v3.4.16...v3.4.17

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the renovate label Apr 4, 2025
@renovate
Copy link
Contributor Author

renovate bot commented Apr 4, 2025

Branch automerge failure

This PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.

  • Branch has one or more failed status checks

@renovate renovate bot enabled auto-merge April 4, 2025 18:54
@renovate renovate bot force-pushed the renovate/packagist-api-platform-core-vulnerability branch from e5ef1bc to 3641513 Compare April 8, 2025 18:07
@renovate renovate bot changed the title fix(deps): update dependency api-platform/core to v4 [security] fix(deps): update dependency api-platform/core to v3.4.17 [security] Apr 8, 2025
@renovate renovate bot force-pushed the renovate/packagist-api-platform-core-vulnerability branch from 3641513 to de90254 Compare April 8, 2025 21:55
@renovate renovate bot changed the title fix(deps): update dependency api-platform/core to v3.4.17 [security] fix(deps): update dependency api-platform/core to v3.4.17 [security] - autoclosed Apr 11, 2025
@renovate renovate bot closed this Apr 11, 2025
auto-merge was automatically disabled April 11, 2025 19:33

Pull request was closed

@renovate renovate bot deleted the renovate/packagist-api-platform-core-vulnerability branch April 11, 2025 19:33
@renovate renovate bot changed the title fix(deps): update dependency api-platform/core to v3.4.17 [security] - autoclosed fix(deps): update dependency api-platform/core to v3.4.17 [security] Apr 11, 2025
@renovate renovate bot reopened this Apr 11, 2025
@renovate renovate bot force-pushed the renovate/packagist-api-platform-core-vulnerability branch from 830700d to de90254 Compare April 11, 2025 19:54
@renovate renovate bot enabled auto-merge April 11, 2025 19:56
@renovate renovate bot added this pull request to the merge queue Apr 11, 2025
Merged via the queue into devel with commit 03b2cb3 Apr 11, 2025
102 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pmattmann pmattmann pmattmann approved these changes

@BacLuc BacLuc BacLuc approved these changes

Assignees

No one assigned

Labels

renovate

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pmattmann @BacLuc