tRPC doesn't explicitly check Content-Type

OWASP recommends explicitly checking the Content-Type header to be the expected one, but when I pass Content-Type: 'application/xml' to tRPC with JSON, it just parses it like it's JSON, instead of throwing a 400 or something. Is there a reason why this is done this way, and how can I change this behavior?
N
Nick63d ago
This may well change in the future when we do support content types, but right now it's JSON or bust
B
BeBoRE62d ago
I understand you don't support other formats, but when I send a request with the Content-Type header to application/xml and then proceed to send JSON in the body, you'd expect either a 400 or 415 to be thrown. I don't know why OWASP recommends this however, but I need to implement this for a school project. I'll just use the nextjs adapter example to enable this behaviour. https://trpc.io/docs/server/adapters/nextjs#handling-cors-and-other-advanced-usage
Next.js Adapter | tRPC
tRPC's support for Next.js is far more expansive than just an adapter. This page covers a brief summary of how to set up the adapter, but complete documentation is available here
B
BeBoRE53d ago
I've become convinced that not checking the Content-Type header leaves users more vulnerable to CSRF attacks using forms on mutations where input is required.
B
BeBoRE53d ago
The Content-Type header does get checked in the case of the fetchRequestHandler, but not when using the createNextApiHandler.
GitHub
trpc/packages/server/src/adapters/fetch/fetchRequestHandler.ts at 4...
🧙‍♀️ Move Fast and Break Nothing. End-to-end typesafe APIs made easy. - trpc/trpc
N
Nick53d ago
A github issue with some kind of reproduction for how this is a risk would be helpful, doing it here if you think there's an issue won't lead it to be looked at
B
BeBoRE53d ago
👍
B
BeBoRE52d ago
Created an issue with a little demo
GitHub
feat: Explicit Content-Type checks · Issue #5522 · trpc/trpc
Describe the feature you'd like to request Forms can easily be used to execute CSRF attacks, since they are not blocked by CORS. Endpoints that are especially vulnerable are endpoints that expe...
GitHub
GitHub - BeBoRE/trpc-csrf-test
Contribute to BeBoRE/trpc-csrf-test development by creating an account on GitHub.
More Posts
Create a typescript type that refers to a useQuery hook dynamicallyI'm trying to create a typescript type that generically refers to a useQuery hook (e.g. I am tryingtRPC Options Method not Allow in Vercel Next.jsI've been getting this error and I have already added CORS in my projects, in initializing the routeBest way to update a TRPC useQuery response without refetchingHey, I currently have a trpc useQuery endpoint which retrieves a series of form submissions for a uWhat is a useSuspenseQuery?Hi, I'm wondering what a useSuspenseQuery is, im looking at the docs but it doesn't explain it anywhNo "mutation"-procedure on pathHello all, I am using the latest version of TRPC on my client and server. I am using React Query onis there a better way to do this?```js let query; let params; switch (getWhat) { case "posts": query = api.user.userPHow to access the query cache data?I want to be able to use a data from already queried data as an initial data of another query. Is thThoughts on how to integrate t3 app, connectkit web3 auth, nextjs middleware, and trpcI am prototyping an application using t3 app with trpc, connectkit web3 auth. I am wanting to use nonError callback typeI want to have a callback onError passed from parent component to the child which has mutation call.Can I perform react query queries without using a trpc procedure, using useQuery standaloneHey, I need to perform a client site request, and I can't implement it with TRPC, so can I use regulTest React component using trpc client and `useSuspenseQuery`Hello ! I'm trying to test my React component that's querying through a tRPC client and `useSuspensHow to extract mutation typeIs it possible to extract mutation type? I would like to pass a mutation trigger to the parent comMock form data middleware (Hello everyone, I'm using experimental_parseMultipartFormData on some of my procedures and i would Ability to mutate/extend `input` from middlewaresHi I have a global middleware that should run for every route. This middleware simply coerces `''` (Hot to redirect in middleware when using createCallerFactoryHello. I do have this tiny middleware: ```typescript const authMiddleware = middleware(async (opts) Remix: How can I return headers from a query or mutation back to the action/loader?I'm using Supabase Auth and a requirement is to return the headers back from its client creation funUsing output validator breaks query return type inference on react queryHi! I am not sure whether this is expected and whether there is some way to fix that but here it goeHow to pass headers from serverActions in Next.js App router.I'm using tRPC with Clerk auth provider in Next.js App directory. I created a `serverClient` to use