Sensitive API endpoints are exposed publicly and endpoints throughout do not mirror access priviliges of WooCommerce REST API

[dsifford]

Describe the bug

This issue report is actually a combination of two separate, but similar issues:

1. There are currently sensitive API endpoints exposed publicly that should not be allowed without admin-level authentication.
2. The access levels of endpoints created by this plugin do not mirror the access levels of similar endpoints in the WooCommerce REST API.

To Reproduce

1. Have wp-graphql and wp-graphql-woocommerce installed.
2. Send an unauthenticated request similar to the following (assuming your local site is running behind localhost:8080):

$ curl -X POST -H 'Content-Type: application/json' -d '
{
  "query": "query { products { nodes { id name totalSales } } }"
}' http://localhost:8080/graphql

3. See that I am able to get information pertaining to totalSales

Expected behavior

At minimum, totalSales should not be allowed to be queried by unauthenticated users.

At best, products should not be allowed, which is a mirror of WooCommerce REST API.

It's understandable though that maybe this graphql API should be a bit more laxed with its endpoints, being that maybe some people are using it to run a headless wordpress site. I can see why having products available to everyone would be needed. But some of the attributes of product should not be allowed to everyone (particularly totalSales) but perhaps also some of the others as well.

Addendum: I'm also now noticing that the field catalogVisibility is also publicly visible in responses, which begs the question: Are products that are unpublished also publicly visible? If so, that's another big dealbreaker.

Screenshots

N/A

Desktop (please complete the following information):

N/A

Smartphone (please complete the following information):

N/A

Additional context

None I can think of, but happy to provide more if needed.

See also: wp-graphql/wp-graphql#1071 (comment)

cc: @jasonbahl

[kidunot89]

@dsifford I've relied WP's capability system and WPGraphQL core data structure to hide sensitive information, but I know I've made quite a few mistakes. I didn't even factor in totalSales important in the data security scheme of things 🤦‍♂️.

Also for future reference, please send all security vulnerabilities to support@axistaylor.com

[dsifford]

Sorry for the public report. I did my diligence and attempted to locate a security policy for this repo, but there was none specified.

Duly noted for the future though.

---

What's your availability look like to address this? I'd be happy to help team up on it if extra manpower is needed.

[kidunot89]

I'll be working on this as along a few other patches this weekend.

[kidunot89]

@dsifford Also, to answer you question catalogVisibility is read-only for any non-administrator. You can add the catalogVisibility param to your product connections, but it will be ignored, unless you are unless the user has the necessary capabilities.

Do you think this should be a restricted field as well? So it's value isn't visible.
I'm hiding catalogVisibility and totalSales behind a capability checks.

[kidunot89]

@dsifford To address the exposure of the WPGraphQL endpoint, it's possible to use the WPGraphQL-CORS plugin to change the GraphQL endpoint route, as well as restrict the endpoint to only take requests from specific URLs using the HTTP CORS headers.

[dsifford]

restrict the endpoint to only take requests from specific URLs using the HTTP CORS headers.

Is this susceptible to referer spoofing? That would be my primary concern.

And a still looming concern is that the access control between the REST API and the graphql API is fractured and seems like it would be more difficult to maintain, rather than just keeping in line with Woo.