GHSA-9722-9j67-vjcr: Improper Authorization in Select Permissions
Due to the order in which permissions were processed, some statements, filters and computations could lead to leaking field values or record contents to users without the required permissions. This behavior could be triggered in different scenarios:
When performing a
SELECT
operation on a table, the values that would be returned were iterated over, field permissions would be validated and any unauthorized value would be removed from the result returned. However, performing aSELECT VALUE
operation (e.g.SELECT VALUE private FROM data
) would result in a non-iterable value, which would not be removed from the returned result.When aliasing a field (e.g.
SELECT private AS public FROM data
) for which the user did not haveSELECT
permissions within aSELECT
query, permissions would be checked against the field of the resulting document containing the aliased field instead of the original document containing the original field. As a consequence, the original field value would be returned as the returned field would not match the original field where permissions had been defined.When calling a function in the context of a
SELECT
query and passing a field with permissions as an argument to the function (e.g.SELECT string::lowercase(private) FROM data
), the function would receive the field value before it had been removed from the document due toSELECT
permissions. As a result, the function would have access to the value of the field regardless of field permissions. This case includes functions called from within events and other clauses that support function calling.When executing a query containing a
WHERE
clause filtering records by a field that the querying user does not have access toSELECT
(e.g.SELECT public FROM data WHERE private ~ "secret"
), the response of that query would still take the value of the field into account. Even though the value of the protected field would not be returned, this behavior could be used as a side channel by the querying user to infer information about the value of the field.When performing
UPDATE
orDELETE
operations over a table with a user that had those permissions but noSELECT
permission, theRETURN BEFORE
clause could be used (e.g.DELETE data RETURN BEFORE
) to read the contents of the records prior to the authorized update or the deletion despite the querying user not being authorized to performSELECT
operations.When performing
UPDATE
operations on a table for which the user hadSELECT
andUPDATE
permissions, theSET
clause could reference fields that the user hadUPDATE
but noSELECT
permission for (e.g.UPDATE data SET public = private
) in order to update the value of a field that the user had permission toSELECT
to the value of another field for which the user did not.
References
- github.com/advisories/GHSA-9722-9j67-vjcr
- github.com/surrealdb/surrealdb
- github.com/surrealdb/surrealdb/commit/439ab99e15314ec5cf87047bf58246db646e3f8c
- github.com/surrealdb/surrealdb/commit/c382fa158dc84b329328606f663efe574f102a7d
- github.com/surrealdb/surrealdb/commit/e75e7736b3a028c4b6a4a4bdf00791d76f77e339
- github.com/surrealdb/surrealdb/issues/2161
- github.com/surrealdb/surrealdb/issues/3924
- github.com/surrealdb/surrealdb/pull/4785
- github.com/surrealdb/surrealdb/pull/4800
- github.com/surrealdb/surrealdb/pull/4873
- github.com/surrealdb/surrealdb/security/advisories/GHSA-9722-9j67-vjcr
- surrealdb.com/docs/surrealdb/security/summary
- surrealdb.com/docs/surrealql/statements/define/field
- surrealdb.com/docs/surrealql/statements/define/table
Detect and mitigate GHSA-9722-9j67-vjcr with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →