JsonApi aggregate endpoint reveals private attribute values
Forum rules
Always add your Laravel, Aimeos and PHP version as well as your environment (Linux/Mac/Win)
Spam and unrelated posts will be removed immediately!
Always add your Laravel, Aimeos and PHP version as well as your environment (Linux/Mac/Win)
Spam and unrelated posts will be removed immediately!
JsonApi aggregate endpoint reveals private attribute values
Laravel framework version: 9.52.4
Aimeos Laravel version: ~2022.10
PHP Version: 8.2.4
Environment: Linux
Hello,
Is this normal? Because it looks like a vulnerability to me.
The aggregate JsonApi endpoint returns private attribute values under the "id" key in the "data" response.
For example:
/jsonapi/review?aggregate=review.customerid
Response:
This also works for the review.orderproductid attribute.
This reveals attributes that should be private.
This is bad because I have created a new attribute for storing user IP addresses.
And yes, this method also works with the new attribute /jsonapi/review?aggregate=ip.
I have a topic here about the new attribute for the review IP address:
Add an attribute with a decorator, but private?
Aimeos Laravel version: ~2022.10
PHP Version: 8.2.4
Environment: Linux
Hello,
Is this normal? Because it looks like a vulnerability to me.
The aggregate JsonApi endpoint returns private attribute values under the "id" key in the "data" response.
For example:
/jsonapi/review?aggregate=review.customerid
Response:
Code: Select all
{ "meta": { "total": 1, "prefix": null, "content-baseurl": "" , "csrf": { "name": "_token", "value": "<TOKEN>" } }, "data": [{"id":"<CUSTOMER ID>","type":"review.customerid","attributes":1}] }
This reveals attributes that should be private.
This is bad because I have created a new attribute for storing user IP addresses.
And yes, this method also works with the new attribute /jsonapi/review?aggregate=ip.
I have a topic here about the new attribute for the review IP address:
Add an attribute with a decorator, but private?
Re: JsonApi aggregate endpoint reveals private attribute values
Aggregating reviews by order product ID is necessary. Doing so by customer ID is unwanted but fortunately, it doesn't reveal any personal data. This is very different when returning the IP addresses of all reviewers with your implementation!
We've changed the code in the Aimeos core to respect the "public" value of the search attributes for aggregation and it's now available in dev-master and 2023.04.x-dev. Unfortunately, there are too many changes necessary to port that back to 2022.10 LTS.
We've changed the code in the Aimeos core to respect the "public" value of the search attributes for aggregation and it's now available in dev-master and 2023.04.x-dev. Unfortunately, there are too many changes necessary to port that back to 2022.10 LTS.
Professional support and custom implementation are available at Aimeos.com
If you like Aimeos, give us a star
If you like Aimeos, give us a star
Re: JsonApi aggregate endpoint reveals private attribute values
I guess I will have to update my project, I hope not too many things break if I do...
I have overridden/extended a bunch of files in my extensions.
I have overridden/extended a bunch of files in my extensions.
Re: JsonApi aggregate endpoint reveals private attribute values
Laravel framework version: 10.12.0
Aimeos Laravel version: ~2023.04
PHP Version: 8.2.6
Environment: Linux
I have upgraded my Aimeos and Laravel.
JsonApi aggregate endpoint still reveals private attribute values.
How to reproduce:
1) /jsonapi/review?aggregate=ip (custom attribute I've added in my decorator)
2) Response:
This is my decorator:
Aimeos Laravel version: ~2023.04
PHP Version: 8.2.6
Environment: Linux
I have upgraded my Aimeos and Laravel.
JsonApi aggregate endpoint still reveals private attribute values.
How to reproduce:
1) /jsonapi/review?aggregate=ip (custom attribute I've added in my decorator)
2) Response:
Code: Select all
{
"meta": {
"total": 1,
"prefix": null,
"content-baseurl": ""
, "csrf": {
"name": "_token",
"value": "<TOKEN>"
}
},
"data": [{"id":"<IP ADDRESS PRIVATE FIELD IS REVEALED HERE>","type":"ip","attributes":2}]
}
Code: Select all
<?php
namespace Aimeos\MShop\Review\Manager\Decorator;
class MyDecorator
extends \Aimeos\MShop\Common\Manager\Decorator\Base
implements \Aimeos\MShop\Common\Manager\Decorator\Iface
{
private $attr = [
'ip' => [
'code' => 'ip',
'internalcode' => 'mrev."ip"',
'label' => 'Customer IP address',
'type' => 'string',
'internaltype' => \Aimeos\Base\DB\Statement\Base::PARAM_STR,
'public' => false,
],
'comment_redacted' => [
'code' => 'comment_redacted',
'internalcode' => 'mrev."comment_redacted"',
'label' => 'Redacted comment',
'type' => 'string',
'internaltype' => \Aimeos\Base\DB\Statement\Base::PARAM_STR,
'public' => false,
],
];
public function getSaveAttributes() : array
{
return parent::getSaveAttributes() + $this->createAttributes( $this->attr );
}
public function getSearchAttributes( bool $sub = true ) : array
{
return parent::getSearchAttributes( $sub ) + $this->createAttributes( $this->attr );
}
}
Re: JsonApi aggregate endpoint reveals private attribute values
Looks very strange. Why should the IP be added as ID parameter to the response?
Can you investigate a bit more what could be the root cause in your setup?
Can you investigate a bit more what could be the root cause in your setup?
Professional support and custom implementation are available at Aimeos.com
If you like Aimeos, give us a star
If you like Aimeos, give us a star
Re: JsonApi aggregate endpoint reveals private attribute values
I was hoping you could help me debug this, where exactly are these fields added as "id" attributes to the aggregate response?
Re: JsonApi aggregate endpoint reveals private attribute values
The output is generated here:
https://github.com/aimeos/ai-admin-json ... te.php#L15
If you aggregate by IP, it must be the key for the counts.
https://github.com/aimeos/ai-admin-json ... te.php#L15
If you aggregate by IP, it must be the key for the counts.
Professional support and custom implementation are available at Aimeos.com
If you like Aimeos, give us a star
If you like Aimeos, give us a star
Re: JsonApi aggregate endpoint reveals private attribute values
Hello,
I found where the "id" is added.
Aimeos\MShop\Common\Manager\Base
https://github.com/aimeos/aimeos-core/b ... #L165-L177
Proposing a solution:
Example output:
Also how can I override this file?
I found where the "id" is added.
Aimeos\MShop\Common\Manager\Base
https://github.com/aimeos/aimeos-core/b ... #L165-L177
Proposing a solution:
Code: Select all
$private_vals = []; // Store private attribute values with custom IDs
while( ( $row = $results->fetch() ) !== null )
{
$row = $this->transform( $row );
$temp = &$map;
$last = array_pop( $row );
foreach( $row as $key => $val ) {
// Check if the attribute is public
if ( $attrList[$key]->isPublic() ) {
$temp[$val] = $temp[$val] ?? [];
$temp = &$temp[$val];
} else {
// Add a custom ID for the private attribute value
if ( ! isset( $private_vals[$val] ) ) {
$private_vals[$val] = \Illuminate\Support\Str::uuid()->toString();
}
$uuid = $private_vals[$val];
$temp[$uuid] = $temp[$uuid] ?? [];
$temp = &$temp[$uuid];
}
}
$temp = $last;
}
Code: Select all
{
"meta": {
"total": 2,
"prefix": null,
"content-baseurl": ""
, "csrf": {
"name": "_token",
"value": "<TOKEN>"
}
},
"data": [{"id":"<GUID>","type":"ip","attributes":2}]
}
Re: JsonApi aggregate endpoint reveals private attribute values
Ended up overriding aggregateBase() with the changes in Aimeos\MShop\Review\Manager\StandardCustom.
config/mshop/review.php:
This will work only for the review aggregation.
config/mshop/review.php:
Code: Select all
return [
'manager' => [
'name' => 'StandardCustom',
],
];