GraphQL traversal due to missing permission checks
orders
and customers
fields allow to access each other via nodes edges. However, connections don’t check user’s permissions, which allows, for instance, a staff with just Customers
permissions get full information about the order, though direct access is forbidden.
I will use a “Staff without Orders
permission” scenario
Customers
permission.{
"query":"{ orders(first: 10) { edges { node { id } } } }"
}
This POST
query to http://localhost:8000/graphql/
returns You do not have permission to perform this action
.
3. 3. Go to a page of any customer with at least one order and note that UI shows Recent orders
with just “No. of Order”, “Date”, “Status” and “Total” fields. However, if you try to see the full information about an order and click on it , you’ll get Ooops!... Something's missing
, as you don’t have enough permissions.
4. Now run this query and receive full information about all orders:
{
"query":"{ customers(first: 10) { edges { node { firstName, orders(first: 10) { edges { node { id, trackingClientId, voucher { id }, giftCards { id }, discount { amount }, discountName, customerNote, weight { value }, metadata { key, value }, fulfillments { id, status }, lines { id, productName, quantity }, actions, total { gross { amount } }, isPaid } } } } } } }"
}
The most interesting field here is definitely lines
, as it completely leaks the order.
Though some fields on orders
must be visible to a staff with only Customers
permission to see the brief info about the last orders, an access to such fields as lines
should be restricted.
This vulnerability is capable of leaking customer’s private information.