Bug: Field permissions not enforced on WHERE statemets #2161
Labels
bug
Something isn't working
topic:security
This is related to security
topic:surrealql
This is related to the SurrealQL query language
Describe the bug
There is a bug in the permission application in the WHERE clause of the SELECT statement. The problem manifests when a user who doesn't have the necessary privileges tries to select records based on a field that they don't have read access to. The issue is that the SELECT statement should not execute successfully if the WHERE clause refers to a field the user doesn't have permission to read. The current behavior inadvertently leaks information to the user about the underlying data, which is a violation of the principle of least privilege.
Steps to reproduce
Define a table with permissions. In the example provided, the table is called
car
and the specific field with permissions iscolor
. Permissions are defined for select, create, update, and delete operations for the field.Create a record in the
car
table with thecolor
field set togreen
.Authenticate as a user without the 'Car/color/Read' privilege.
Execute a SELECT statement with a WHERE clause that includes the
color
field, such asSELECT * FROM car WHERE color = 'green';
.Observe the returned response. Although the
color
field is correctly omitted from the response due to the user's lack of read permission, the fact that a record is returned at all indicates that there is a car with a green color, leaking information about the underlying data.Table:
Query:
Response:
Even though the user does not have read permission for the
color
field, the SELECT statement with a WHERE clause referring to that field is executed successfully, and a record is returned. Thecolor
field is correctly omitted from the returned record, but the mere presence of the record indicates that there is a car with a green color, effectively leaking information about the underlying data.Expected behaviour
If a user does not have read permission for a field, any SELECT statement with a WHERE clause referring to that field should result in an error, or at least not return any records. This would maintain the principle of least privilege and avoid leaking information about the underlying data.
SurrealDB version
1.0.0-beta.9+20230402.5eafebd for linux on x86_64
Contact Details
selmeci.roman@gmail.com
Is there an existing issue for this?
Code of Conduct
The text was updated successfully, but these errors were encountered: