Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Finders should return nil instead of raising security violations #117

Closed
catmando opened this issue Jan 28, 2019 · 0 comments
Closed

Finders should return nil instead of raising security violations #117

catmando opened this issue Jan 28, 2019 · 0 comments
Labels
security Issue effects security
Projects
ALPHA to production
Milestone
alpha1.4

Comments

@catmando
Copy link
Contributor

For example consider:

Customers.find_by_handle('catmando')

if 'catmando' exists but the client does not have permission to view the data it will throw an error.

if 'catmando' does not exist it will just return nil.

so a hacker could use this to easily check if specific data exists or not.

Solution is just to return nil always unless the client has permission to view at least one attribute in the record.
@catmando catmando added the security Issue effects security label Jan 28, 2019
@catmando catmando added this to To do in ALPHA to production via automation Jan 28, 2019
@catmando catmando added this to the alpha1.4 milestone Jan 28, 2019
@catmando catmando changed the title Finders should return nil EVEN instead of raising security violations Finders should return nil instead of raising security violations Jan 29, 2019
@catmando catmando mentioned this issue Feb 15, 2019
Closed
ALPHA to production automation moved this from To do to Done Feb 16, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security Issue effects security
Projects
ALPHA to production
  
Done
Milestone
alpha1.4
Development

No branches or pull requests
1 participant
@catmando