Skip to content

Bad JSON data breaks API and admin dashboard #15496

@nikita-fuchs

Description

@nikita-fuchs

Hello,

It is possible to remotely break APIs if the content type has a JSON field and the create operation is permitted. This also breaks the admin UI and prevents administrators from removing the malicious record, accessing the DB directly is the only way to fix the incident.

Reproduction steps:

  1. Create a datatype with a JSON field
  2. Create a new record via direct API call or using the entity service
strapi.entityService.create(... { data: jsonField:{ "foo" }...

with a string (!) instead of an object for the JSON field.

This will lead to the string being stored directly in the DB table as strapi seemingly relies fully on the DB to perform validation. The problem is though that Postgres' JSONB type allows storing objects, strings, and other data. (see https://materialize.com/docs/sql/types/jsonb/#details )
Upon the call in step 2, the console will show a JSON parsing error, because Strapi is - for whatever reason - immediately reading the newly created record from the DB and expects the data to be a JSON object.

Now Strapi is defacto broken, because every time somebody calls the API endpoint that includes such a malformatted JSON record, the parsing fails and there is an error response.

If an admin tries to investigate the issue, he is hit with the same error as the record(s) cannot be read because of the parsing error.

I recommend implementing a 'safe mode' view for the admin panel, so users aren't stuck with a broken strapi instance if issues like these occur in the future.

Node.js version: v18.12.1
NPM version: v9.2.0
Strapi version: 4.5.6
Database: postgres
Operating system: OSX

Metadata

Metadata

Assignees

No one assigned

    Labels

    issue: bugIssue reporting a bugseverity: highIf it breaks the basic use of the productsource: core:databaseSource is core/database packagestatus: confirmedConfirmed by a Strapi Team member or multiple community members

    Type

    No type

    Projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions