Graphiti Arbitrary Method Execution Vulnerability in JSONAPI Write Functionality

A vulnerability allowing arbitrary method execution has been identified in Graphiti versions prior to 1.10.2. This issue affects the framework's JSONAPI write functionality, where an attacker can manipulate relationship names in a crafted JSONAPI payload to invoke any public method on the associated model instance, its class, or related instances or classes. The vulnerability arises because the 'Graphiti::Util::ValidationResponse#all_valid?' method directly uses user-supplied relationship names without proper validation, potentially leading to the execution of destructive operations. Applications that expose Graphiti write endpoints to untrusted users are vulnerable.

Impact

Exploitation of this vulnerability allows attackers to execute arbitrary public methods on model instances, classes, or their associations, including destructive operations.

Reproduction

To reproduce this vulnerability, send a JSONAPI payload to a Graphiti write endpoint (such as create, update, or delete) that includes arbitrary relationship names. The 'Graphiti::Util::ValidationResponse#all_valid?' method will process these names without validation, allowing the invocation of any public method on the targeted model or its associations.

Remediation

Upgrade Graphiti to version 1.10.2 or later. If an immediate upgrade is not possible, restrict write access to trusted users and apply strong authentication and authorization checks before processing any write operations.