**Summary:**Sorting the reports by jira_status yield to different result depicting the team is using jira even the user has no access.Description:
A user with no access to jira information of any reports can somehow access the jira field using order_by through jira_status
Using the 2 graphql below we can see the discrepancies of total_count
for the test teams i will mention:
Test Teams:
id
= total_count: 10
jira_status
= total_count :11
id
= total_count: 458
jira_status
= total_count :466
id
= total_count: 299
jira_status
= total_count :309
id
= total_count: 109
jira_status
= total_count :110
Graphql Query using field id
inorder_by
as criteria it will yield same result except for the field of jira_status
{
reports(where: {team: {handle: {_eq: "██████"}}}, order_by: {direction: ASC, field: id}) {
total_count
nodes {
substate
jira_escalation_state
jira_escalation_last_state_change_at
created_at
disclosed_at
extracted_report_data {
hosts
}
title
url
team {
handle
}
reporter {
username
}
}
}
}
Please change the field in sort_by
to jira_status
to display different result.
Below is part of the response using jira_status as the field, please notice that jira_escalation_state
and jira_escalation_last_state_change_at
has null values meaning a ==public user don;t have access to this information.==
{
“data”: {
“reports”: {
==“total_count”: 11, ==
“nodes”: [
{
“substate”: “resolved”,
“jira_escalation_state”: null,
“jira_escalation_last_state_change_at”: null,
“created_at”: “2019-09-18T11:57:36.488Z”,
“disclosed_at”: “2020-04-21T02:53:04.699Z”,
“extracted_report_data”: null,
“title”: “███”,
“url”: “███”,
“team”: {
“handle”: “████████”
},
“reporter”: {
“username”: “█████”
}
},
Additional information: I dig more on the discrepancies and checked the returned reports 1 by 1 to and compare result, in Team ███████, the report ███████ appeared twice because of the sort_by jira_status.
Thank you.
Ariel
Due to improper access control in the sort_by
of jira_status
field any user can give an idea which report are using jira even if the user has no access jira information.