BeBoRE
BeBoRE11mo ago

tRPC doesn't explicitly check Content-Type

OWASP recommends explicitly checking the Content-Type header to be the expected one, but when I pass Content-Type: 'application/xml' to tRPC with JSON, it just parses it like it's JSON, instead of throwing a 400 or something. Is there a reason why this is done this way, and how can I change this behavior?
7 Replies
Nick
Nick11mo ago
This may well change in the future when we do support content types, but right now it's JSON or bust
BeBoRE
BeBoREOP11mo ago
I understand you don't support other formats, but when I send a request with the Content-Type header to application/xml and then proceed to send JSON in the body, you'd expect either a 400 or 415 to be thrown. I don't know why OWASP recommends this however, but I need to implement this for a school project. I'll just use the nextjs adapter example to enable this behaviour. https://trpc.io/docs/server/adapters/nextjs#handling-cors-and-other-advanced-usage
Next.js Adapter | tRPC
tRPC's support for Next.js is far more expansive than just an adapter. This page covers a brief summary of how to set up the adapter, but complete documentation is available here
BeBoRE
BeBoREOP11mo ago
I've become convinced that not checking the Content-Type header leaves users more vulnerable to CSRF attacks using forms on mutations where input is required.
BeBoRE
BeBoREOP11mo ago
The Content-Type header does get checked in the case of the fetchRequestHandler, but not when using the createNextApiHandler.
GitHub
trpc/packages/server/src/adapters/fetch/fetchRequestHandler.ts at 4...
🧙‍♀️ Move Fast and Break Nothing. End-to-end typesafe APIs made easy. - trpc/trpc
Nick
Nick11mo ago
A github issue with some kind of reproduction for how this is a risk would be helpful, doing it here if you think there's an issue won't lead it to be looked at
BeBoRE
BeBoREOP11mo ago
👍
BeBoRE
BeBoREOP11mo ago
Created an issue with a little demo
GitHub
feat: Explicit Content-Type checks · Issue #5522 · trpc/trpc
Describe the feature you'd like to request Forms can easily be used to execute CSRF attacks, since they are not blocked by CORS. Endpoints that are especially vulnerable are endpoints that expe...
GitHub
GitHub - BeBoRE/trpc-csrf-test
Contribute to BeBoRE/trpc-csrf-test development by creating an account on GitHub.

Did you find this page helpful?