Join Log in
Score:0
Giuseppe avatar Drupal

Why sensitive information Webform information exposed with jsonapi and custom access check?

br flag
Giuseppe

I'm on D9.3.x with Webform 6.1.4. Some sensitive information is exposed when adding a custom access check on webform submissions.

E.g. with no custom code, when GETting jsonapi/webform_submission/my_webform without right permissions the site returns:

    "jsonapi": {
        "version": "1.0",
        "meta": {
            "links": {
                "self": {
                    "href": "http://jsonapi.org/format/1.0/"
                }
            }
        }
    },
    "data": [],
    "meta": {
        "count": 0
    },
    "links": {
     [...]
    }
}

If I add a custom Webform handler with:

public function access(WebformSubmissionInterface $webform_submission, $operation, AccountInterface $account = NULL) {
    if($operation !== 'view' || $account === NULL) {
      return parent::access($webform_submission, $operation, $account);
    }

    $current_account = $this->entityTypeManager->getStorage('user')
      ->load($account->id());

    $webform_author = $webform_submission->getOwner();

    $webform_author_field= $webform_author->myfield->value;
    $current_account_field= $current_account->myfield->value;

    if($webform_author_field === $current_account_field) {
      return AccessResult::allowed();
    }

    return parent::access($webform_submission, $operation, $account);
  }

The same GET returns:

    "jsonapi": {
        "version": "1.0",
        "meta": {
            "links": {
                "self": {
                    "href": "http://jsonapi.org/format/1.0/"
                }
            }
        }
    },
    "data": [],
    "meta": {
        "count": 5,
        "omitted": {
            "detail": "Some resources have been omitted because of insufficient authorization.",
            "links": {
                "help": {
                    "href": "https://www.drupal.org/docs/8/modules/json-api/filtering#filters-access-control"
                },
                "item--5EzsKk7": {
                    "href": "https://mysite/jsonapi/webform_submission/my_webform/5815d421-9ba1-4c2f-a1d3-00233261658f",
                    "meta": {
                        "rel": "item",
                        "detail": "The current user is not allowed to GET the selected resource."
                    }
                },
                "item--hsvvR7z": {
                    "href": "https://mysite/jsonapi/webform_submission/my_webform/66b5ae7c-24b0-46cd-9b7e-2e78969eae17",
                    "meta": {
                        "rel": "item",
                        "detail": "The current user is not allowed to GET the selected resource."
                    }
                },
              [...]
            }
        }
    },
    "links": {
[...]
    }
}

Thus exposing both the total of the submissions and their uuid. Have you idea why it happens?

Edit: updated code and noticed one thing. If the site has some submissions but the user has 0 which he can access with the "base" webform settings, the GET returns 0 in the "meta". Aka the custom code has no effect.

However, if the user has some submissions he could access to with the "base" settings and the custom access() function run the `AccessResult::forbidden();' then the "meta" in the GET is populated with the submissions the user could have access to.

34
0 + 4
apaderno avatar
us flag
apaderno
Since the question is about code, we need to see the used code, or we cannot answer the question. Also, from the shown JSON, I do not see any exposed data; I just see an error message saying the user is not allowed to get the selected resource.
0
Reply
apaderno avatar
us flag
apaderno
To make it clear: `$my_check = false; //some custom logic` is not enough code.
0
Reply
Giuseppe avatar
br flag
Giuseppe
I updated the code, but I don't think it's relevant, I mean, there could be only ` return AccessResult::forbidden();` inside the `access` function to reproduce the point in my question. For exposed data I consider the count of submissions not visible and their uuid. Not a big deal, or so important, I'd agree, I'm more interested in why there is a behavior different from "base" settings.
0
Reply
apaderno avatar
us flag
apaderno
How could users tell you what is wrong in the code you are using, if you do not show it? For example, you could forget to initialize a variable; users could not say that is what is wrong in the code, without seeing the code.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.