JsonApi aggregate endpoint reveals private attribute values

[kdim95]

Laravel framework version: 9.52.4
Aimeos Laravel version: ~2022.10
PHP Version: 8.2.4
Environment: Linux

Hello,

Is this normal? Because it looks like a vulnerability to me.
The aggregate JsonApi endpoint returns private attribute values under the "id" key in the "data" response.

For example:
/jsonapi/review?aggregate=review.customerid

Response:

Code: Select all

{ "meta": { "total": 1, "prefix": null, "content-baseurl": "" , "csrf": { "name": "_token", "value": "<TOKEN>" } }, "data": [{"id":"<CUSTOMER ID>","type":"review.customerid","attributes":1}] }

This also works for the review.orderproductid attribute.

This reveals attributes that should be private.

This is bad because I have created a new attribute for storing user IP addresses.
And yes, this method also works with the new attribute /jsonapi/review?aggregate=ip.

I have a topic here about the new attribute for the review IP address:
Add an attribute with a decorator, but private?

[aimeos]

Aggregating reviews by order product ID is necessary. Doing so by customer ID is unwanted but fortunately, it doesn't reveal any personal data. This is very different when returning the IP addresses of all reviewers with your implementation!

We've changed the code in the Aimeos core to respect the "public" value of the search attributes for aggregation and it's now available in dev-master and 2023.04.x-dev. Unfortunately, there are too many changes necessary to port that back to 2022.10 LTS.

[kdim95]

I guess I will have to update my project, I hope not too many things break if I do...
I have overridden/extended a bunch of files in my extensions.

[kdim95]

Laravel framework version: 10.12.0
Aimeos Laravel version: ~2023.04
PHP Version: 8.2.6
Environment: Linux

I have upgraded my Aimeos and Laravel.
JsonApi aggregate endpoint still reveals private attribute values.

How to reproduce:
1) /jsonapi/review?aggregate=ip (custom attribute I've added in my decorator)

2) Response:

Code: Select all

{
"meta": {
"total": 1,
"prefix": null,
"content-baseurl": ""

, "csrf": {
"name": "_token",
"value": "<TOKEN>"
}

},

"data": [{"id":"<IP ADDRESS PRIVATE FIELD IS REVEALED HERE>","type":"ip","attributes":2}]
}

This is my decorator:

Code: Select all

<?php

namespace Aimeos\MShop\Review\Manager\Decorator;

class MyDecorator
    extends \Aimeos\MShop\Common\Manager\Decorator\Base
    implements \Aimeos\MShop\Common\Manager\Decorator\Iface
{
    private $attr = [
        'ip' => [
			'code' => 'ip',
			'internalcode' => 'mrev."ip"',
			'label' => 'Customer IP address',
			'type' => 'string',
			'internaltype' => \Aimeos\Base\DB\Statement\Base::PARAM_STR,
            'public' => false,
        ],
        'comment_redacted' => [
			'code' => 'comment_redacted',
			'internalcode' => 'mrev."comment_redacted"',
			'label' => 'Redacted comment',
			'type' => 'string',
			'internaltype' => \Aimeos\Base\DB\Statement\Base::PARAM_STR,
            'public' => false,
        ],
    ];

    public function getSaveAttributes() : array
    {
        return parent::getSaveAttributes() + $this->createAttributes( $this->attr );
    }
	
	public function getSearchAttributes( bool $sub = true ) : array
    {
        return parent::getSearchAttributes( $sub ) + $this->createAttributes( $this->attr );
    }
}

[aimeos]

Looks very strange. Why should the IP be added as ID parameter to the response?
Can you investigate a bit more what could be the root cause in your setup?

[kdim95]

I was hoping you could help me debug this, where exactly are these fields added as "id" attributes to the aggregate response?

[aimeos]

The output is generated here:
https://github.com/aimeos/ai-admin-json ... te.php#L15

If you aggregate by IP, it must be the key for the counts.

[kdim95]

Hello,

I found where the "id" is added.

Aimeos\MShop\Common\Manager\Base

https://github.com/aimeos/aimeos-core/b ... #L165-L177

Proposing a solution:

Code: Select all

$private_vals = []; // Store private attribute values with custom IDs

while( ( $row = $results->fetch() ) !== null )
{
	$row = $this->transform( $row );

	$temp = &$map;
	$last = array_pop( $row );

	foreach( $row as $key => $val ) {

		// Check if the attribute is public
		if ( $attrList[$key]->isPublic() ) {
			$temp[$val] = $temp[$val] ?? [];
			$temp = &$temp[$val];
		} else {
			// Add a custom ID for the private attribute value
			if ( ! isset( $private_vals[$val] ) ) {
				$private_vals[$val] = \Illuminate\Support\Str::uuid()->toString();
			}
			$uuid = $private_vals[$val];
			$temp[$uuid] = $temp[$uuid] ?? [];
			$temp = &$temp[$uuid];
		}
	}
			
	$temp = $last;
}

Example output:

Code: Select all

{
"meta": {
"total": 2,
"prefix": null,
"content-baseurl": ""

, "csrf": {
"name": "_token",
"value": "<TOKEN>"
}

},

"data": [{"id":"<GUID>","type":"ip","attributes":2}]
}

Also how can I override this file?

[kdim95]

Ended up overriding aggregateBase() with the changes in Aimeos\MShop\Review\Manager\StandardCustom.

config/mshop/review.php:

Code: Select all

return [
   'manager' => [
      'name' => 'StandardCustom',
   ],
];

This will work only for the review aggregation.