JsonApi aggregate endpoint reveals private attribute values

kdim95 · Post by **kdim95** » 25 May 2023, 14:44

Laravel framework version: 9.52.4
Aimeos Laravel version: ~2022.10
PHP Version: 8.2.4
Environment: Linux

Hello,

Is this normal? Because it looks like a vulnerability to me.
The aggregate JsonApi endpoint returns private attribute values under the "id" key in the "data" response.

For example:
/jsonapi/review?aggregate=review.customerid

Response:

Code: Select all

{ "meta": { "total": 1, "prefix": null, "content-baseurl": "" , "csrf": { "name": "_token", "value": "<TOKEN>" } }, "data": [{"id":"<CUSTOMER ID>","type":"review.customerid","attributes":1}] }

This also works for the review.orderproductid attribute.

This reveals attributes that should be private.

This is bad because I have created a new attribute for storing user IP addresses.
And yes, this method also works with the new attribute /jsonapi/review?aggregate=ip.

I have a topic here about the new attribute for the review IP address:
Add an attribute with a decorator, but private?

Post by **aimeos** » 26 May 2023, 11:15

Aggregating reviews by order product ID is necessary. Doing so by customer ID is unwanted but fortunately, it doesn't reveal any personal data. This is very different when returning the IP addresses of all reviewers with your implementation!

We've changed the code in the Aimeos core to respect the "public" value of the search attributes for aggregation and it's now available in dev-master and 2023.04.x-dev. Unfortunately, there are too many changes necessary to port that back to 2022.10 LTS.

kdim95 · Post by **kdim95** » 26 May 2023, 12:06

I guess I will have to update my project, I hope not too many things break if I do...
I have overridden/extended a bunch of files in my extensions.

Help for Aimeos