BeBoRE
BeBoRE6mo ago

tRPC doesn't explicitly check Content-Type

OWASP recommends explicitly checking the Content-Type header to be the expected one, but when I pass Content-Type: 'application/xml' to tRPC with JSON, it just parses it like it's JSON, instead of throwing a 400 or something. Is there a reason why this is done this way, and how can I change this behavior?
7 Replies
Nick
Nick6mo ago
This may well change in the future when we do support content types, but right now it's JSON or bust
BeBoRE
BeBoRE6mo ago
I understand you don't support other formats, but when I send a request with the Content-Type header to application/xml and then proceed to send JSON in the body, you'd expect either a 400 or 415 to be thrown. I don't know why OWASP recommends this however, but I need to implement this for a school project. I'll just use the nextjs adapter example to enable this behaviour. https://trpc.io/docs/server/adapters/nextjs#handling-cors-and-other-advanced-usage
Next.js Adapter | tRPC
tRPC's support for Next.js is far more expansive than just an adapter. This page covers a brief summary of how to set up the adapter, but complete documentation is available here
BeBoRE
BeBoRE5mo ago
I've become convinced that not checking the Content-Type header leaves users more vulnerable to CSRF attacks using forms on mutations where input is required.
BeBoRE
BeBoRE5mo ago
The Content-Type header does get checked in the case of the fetchRequestHandler, but not when using the createNextApiHandler.
GitHub
trpc/packages/server/src/adapters/fetch/fetchRequestHandler.ts at 4...
🧙‍♀️ Move Fast and Break Nothing. End-to-end typesafe APIs made easy. - trpc/trpc
Nick
Nick5mo ago
A github issue with some kind of reproduction for how this is a risk would be helpful, doing it here if you think there's an issue won't lead it to be looked at
BeBoRE
BeBoRE5mo ago
👍
BeBoRE
BeBoRE5mo ago
Created an issue with a little demo
GitHub
feat: Explicit Content-Type checks · Issue #5522 · trpc/trpc
Describe the feature you'd like to request Forms can easily be used to execute CSRF attacks, since they are not blocked by CORS. Endpoints that are especially vulnerable are endpoints that expe...
GitHub
GitHub - BeBoRE/trpc-csrf-test
Contribute to BeBoRE/trpc-csrf-test development by creating an account on GitHub.
More Posts
Create a typescript type that refers to a useQuery hook dynamicallyI'm trying to create a typescript type that generically refers to a useQuery hook (e.g. I am tryingtRPC Options Method not Allow in Vercel Next.jsI've been getting this error and I have already added CORS in my projects, in initializing the routeBest way to update a TRPC useQuery response without refetchingHey, I currently have a trpc useQuery endpoint which retrieves a series of form submissions for a uWhat is a useSuspenseQuery?Hi, I'm wondering what a useSuspenseQuery is, im looking at the docs but it doesn't explain it anywhNo "mutation"-procedure on pathHello all, I am using the latest version of TRPC on my client and server. I am using React Query onis there a better way to do this?```js let query; let params; switch (getWhat) { case "posts": query = api.user.userPHow to access the query cache data?I want to be able to use a data from already queried data as an initial data of another query. Is thThoughts on how to integrate t3 app, connectkit web3 auth, nextjs middleware, and trpcI am prototyping an application using t3 app with trpc, connectkit web3 auth. I am wanting to use nonError callback typeI want to have a callback onError passed from parent component to the child which has mutation call.Can I perform react query queries without using a trpc procedure, using useQuery standaloneHey, I need to perform a client site request, and I can't implement it with TRPC, so can I use regul