tRPC doesn't explicitly check Content-Type
OWASP recommends explicitly checking the Content-Type header to be the expected one, but when I pass Content-Type: 'application/xml' to tRPC with JSON, it just parses it like it's JSON, instead of throwing a 400 or something. Is there a reason why this is done this way, and how can I change this behavior?
7 Replies
This may well change in the future when we do support content types, but right now it's JSON or bust
I understand you don't support other formats, but when I send a request with the Content-Type header to application/xml and then proceed to send JSON in the body, you'd expect either a 400 or 415 to be thrown. I don't know why OWASP recommends this however, but I need to implement this for a school project. I'll just use the nextjs adapter example to enable this behaviour.
https://trpc.io/docs/server/adapters/nextjs#handling-cors-and-other-advanced-usage
Next.js Adapter | tRPC
tRPC's support for Next.js is far more expansive than just an adapter. This page covers a brief summary of how to set up the adapter, but complete documentation is available here
I've become convinced that not checking the Content-Type header leaves users more vulnerable to CSRF attacks using forms on mutations where input is required.
The Content-Type header does get checked in the case of the
fetchRequestHandler
, but not when using the createNextApiHandler
.GitHub
trpc/packages/server/src/adapters/fetch/fetchRequestHandler.ts at 4...
🧙♀️ Move Fast and Break Nothing. End-to-end typesafe APIs made easy. - trpc/trpc
A github issue with some kind of reproduction for how this is a risk would be helpful, doing it here if you think there's an issue won't lead it to be looked at
👍
GitHub
feat: Explicit Content-Type checks · Issue #5522 · trpc/trpc
Describe the feature you'd like to request Forms can easily be used to execute CSRF attacks, since they are not blocked by CORS. Endpoints that are especially vulnerable are endpoints that expe...
GitHub
GitHub - BeBoRE/trpc-csrf-test
Contribute to BeBoRE/trpc-csrf-test development by creating an account on GitHub.