Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CRITICAL] BUG: Custom field with internal: true, public: false is accessible via Shop API #3049

Closed
Yasser-G opened this issue Sep 8, 2024 · 2 comments
Closed

[CRITICAL] BUG: Custom field with internal: true, public: false is accessible via Shop API #3049

Yasser-G opened this issue Sep 8, 2024 · 2 comments
Labels
P1: urgent Critical issue which affects majority of users, type: bug 🐛 Something isn't working type: security 🔐

Comments

@Yasser-G
Copy link

Yasser-G commented Sep 8, 2024
edited
Loading

Describe the bug
Custom field with internal: true, public: false is accessible via Shop API

To Reproduce
Steps to reproduce the behavior:

  1. Extend any entity with a new customField named { name: "secretKey", type: "string", defaultValue: "", public: false, internal: true }
  2. query the entity via shop api, try to query customFields { secretKey } , you'll get GRAPHQL_VALIDATION_FAILED, with message Field \"customFields\" must not have a selection since type \"JSON\" has no subfields.
  3. repeat the query without subfields, just query customFields
  4. All internal and private custom fields are now visible

Expected behavior
Internal and private custom fields should not be exposable via Shop API

Environment (please complete the following information):

  • @vendure/core version: 3.0.1
  • Nodejs version: 18.20.4
  • Database (mysql/postgres etc): postgres
@Yasser-G Yasser-G added the type: bug 🐛 Something isn't working label Sep 8, 2024
@Yasser-G Yasser-G changed the title [CRITICAL] BUG: Custom field with internal: true, public: false is still via Shop API [CRITICAL] BUG: Custom field with internal: true, public: false is accessible via Shop API Sep 8, 2024
@michaelbromley michaelbromley added type: security 🔐 P1: urgent Critical issue which affects majority of users, labels Sep 8, 2024
@michaelbromley michaelbromley moved this to 📋 Backlog in Vendure OS Roadmap Sep 8, 2024
@michaelbromley michaelbromley moved this from 📋 Backlog to 🏗 In progress in Vendure OS Roadmap Sep 9, 2024
@michaelbromley
Copy link
Member

Thanks for the report. A patch with the fix will be published this week.

michaelbromley added a commit that referenced this issue Sep 10, 2024
@michaelbromley
fix(core): Prevent exposure of private custom fields via JSON type
29b83d9 
Fixes #3049

(cherry picked from commit 042abdb)
@michaelbromley
Copy link
Member

Update: this fix is now available in versions 3.0.2 & 2.3.1

@dlhck dlhck moved this from ♻️ In progress to 🚀 Shipped in Vendure OS Roadmap Sep 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
P1: urgent Critical issue which affects majority of users, type: bug 🐛 Something isn't working type: security 🔐
Projects
Vendure OS Roadmap
Status: 🚀 Shipped
Milestone
No milestone
Development

No branches or pull requests
2 participants
@michaelbromley @Yasser-G