Private data¶
Description¶
According to the rules provided in the configuration file, private data can be accessed by unauthorized users.
Remediation¶
The best way to ensure that private data can only be accessed by authorized users is by implementing a proper access control system. To do so, access control must be applied to every object and every link in the graphQL schema.
GraphQL Specific¶
Apollo
To mitigate the risk of unauthorized access or data leakage within the Apollo framework engine, ensure that all sensitive data is handled securely. Implement proper access controls, encrypt sensitive information both at rest and in transit, and regularly audit logs to detect any abnormal access patterns or breaches. Additionally, keep the Apollo framework and its dependencies up to date with the latest security patches.Yoga
To address vulnerabilities within the Yoga framework engine related to private data exposure, ensure that all sensitive information is encrypted both at rest and in transit. Implement access controls and authentication mechanisms to restrict unauthorized access. Regularly audit the codebase for potential data leakage and adhere to best practices for data privacy, such as following the principles of the General Data Protection Regulation (GDPR) or similar regulations. Additionally, consider using environment variables for sensitive configuration details instead of hardcoding them within the application.Awsappsync
To mitigate the risk of exposing private data in AWS AppSync, ensure that all GraphQL resolvers are properly configured to enforce authentication and authorization checks. Implement field-level authorization to control access to sensitive data, and use AWS Identity and Access Management (IAM) roles or Amazon Cognito user pools to manage permissions. Regularly audit your API configurations and access patterns to ensure compliance with data privacy requirements.Graphqlgo
To mitigate the risk of private data exposure in a GraphQL Go framework engine, ensure that access control checks are implemented at the resolver level. Use middleware to authenticate and authorize users, and apply field-level security to prevent unauthorized retrieval of sensitive data. Additionally, consider implementing query complexity analysis to prevent resource exhaustion attacks, and regularly audit your schema to ensure that no private data is unintentionally exposed.Graphqlruby
To mitigate the risk of exposing sensitive data in your GraphQL Ruby framework, ensure that you implement proper authentication and authorization checks. Use the pundit or cancancan gems for fine-grained access control, and always filter the data based on the current user's permissions. Additionally, consider using GraphQL's field-level permissions to restrict access to certain fields within your schema. Regularly audit your resolvers and mutations to ensure they do not inadvertently expose private information. Lastly, keep your GraphQL Ruby framework and its dependencies up to date to benefit from the latest security patches.Hasura
To mitigate the risk of unauthorized access to private data in the Hasura framework, ensure that all GraphQL queries and mutations are authenticated and authorized appropriately. Implement role-based access control (RBAC) to restrict data access based on user roles. Use Hasura's permission system to define granular permissions for each table and operation. Regularly audit your permission rules and update them as necessary to adhere to the principle of least privilege. Additionally, consider using environment variables for sensitive information and enable Hasura's webhook or JWT modes for enhanced security. Always keep the Hasura engine and its dependencies up to date with the latest security patches.Agoo
Implement access controls and authentication mechanisms to restrict unauthorized access to private data in the Agoo framework.Ariadne
Implement access controls and authentication mechanisms to ensure that private data in the Ariadne framework engine is only accessible to authorized users.Caliban
Implement access controls and authentication mechanisms to ensure that only authorized users can access private data in the Caliban framework.Dgraph
Implement access control lists (ACLs) to restrict unauthorized access to private data in the Dgraph framework.Dianajl
Implement access controls and encryption to protect private data in the Dianajl framework engine.Directus
Implement role-based access control (RBAC) to restrict access to private data in the Directus framework.Flutter
Implement secure storage solutions for sensitive data in the Flutter framework to prevent unauthorized access.Graphene
Implement authentication and authorization middleware to restrict access to private data in the Graphene framework.Graphqlapiforwp
Implement authentication and authorization mechanisms to ensure that only authorized users can access private data in the GraphQL API for WP framework.Graphqlgophergo
Implement authentication and authorization checks to ensure that only authorized users can access private data in the GraphQLGopherGo framework.Graphqljava
Implement authentication and authorization mechanisms to ensure that only authorized users can access private data in the GraphQL Java framework.Graphqlphp
Implement authentication and authorization middleware to restrict access to private data in the GraphQLPHP framework.Graphqlyoga
Implement authentication and authorization middleware to restrict access to private data in the GraphQL Yoga framework.Hypergraphql
Implement access control mechanisms to ensure that only authorized users can access private data in the HyperGraphQL framework.Jaal
Implement access controls and authentication mechanisms to restrict unauthorized access to private data in the Jaal framework engine.Juniper
Implement access controls and encryption to protect private data in the Juniper framework engine.Lacinia
Implement access control checks to ensure that only authorized users can access private data in the Lacinia framework.Lighthouse
Implement access controls and encryption to protect private data in the Lighthouse framework engine.Mercurius
Implement access control mechanisms to restrict unauthorized access to private data in the Mercurius framework engine.Morpheusgraphql
Implement access control mechanisms to restrict unauthorized access to private data in MorpheusGraphQL framework.Qglgen
Implement access control checks to ensure that only authorized users can access private data in the gqlgen framework.Sangria
Implement field-level authorization checks in the Sangria framework to ensure that private data is only accessible to authorized users.Shopify
Implement Shopify's built-in data protection features and ensure that access controls are properly configured to restrict unauthorized access to private data.Stepzen
Implement authentication and authorization mechanisms to restrict access to private data in the StepZen framework.Strawberry
Implement access controls and authentication mechanisms to ensure that private data in the Strawberry Framework Engine is only accessible to authorized users.Tartiflette
Implement access control checks to ensure that private data in the Tartiflette framework engine is only accessible to authorized users.Wpgraphql
Implement authentication and authorization checks to ensure that only authorized users can access private data in the WPGraphQL framework.REST Specific¶
Asp_net
Implement proper authentication and authorization checks before allowing access to private data. Use ASP.NET Identity for managing users and roles, and ensure that [Authorize] attributes are applied to controllers and actions to restrict access as necessary. Additionally, employ secure coding practices to prevent SQL injection and other vulnerabilities that could lead to unauthorized data access.Ruby_on_rails
Implement strong access control checks and use Rails' built-in mechanisms such as 'before_action' callbacks in controllers to verify user permissions before allowing access to private data.Next_js
Implement server-side checks to validate user permissions before serving private data, and use Next.js API routes to securely handle data fetching.Laravel
In Laravel, ensure that you use Eloquent ORM or Query Builder for database interactions, which automatically use parameterized queries to prevent SQL injection. Additionally, utilize Laravel's built-in authorization features such as Gates and Policies to control access to private data, and always validate and sanitize user input to prevent unauthorized access.Express_js
Implement proper access controls and authentication mechanisms to ensure that only authorized users can access private data. Use middleware such as `helmet` to secure Express.js applications by setting various HTTP headers and `express-session` for handling sessions. Regularly audit your code and dependencies for vulnerabilities and keep them up-to-date.Django
Ensure that Django's built-in authentication system is properly implemented to control access to sensitive data. Use the `@login_required` decorator for views that handle private data, set proper permissions with the Django permissions framework, and always filter QuerySets based on the requesting user's privileges to prevent unauthorized access to private data.Symfony
In the Symfony framework, ensure that access control is properly implemented by using the security component. Define access control rules in the security.yaml configuration file, utilize voters to manage permissions, and apply annotations or attributes for controller methods to restrict access to sensitive data. Regularly update Symfony and its dependencies to incorporate security fixes.Spring_boot
Implement proper access control checks and enforce authentication and authorization mechanisms to restrict unauthorized access to private data. Utilize Spring Security to configure role-based access control and secure endpoints.Flask
Implement proper access controls and authentication mechanisms to ensure that only authorized users can access private data. Use Flask's `flask_login` or `flask_principal` extensions for managing user sessions and permissions. Additionally, apply `@login_required` decorators to protect routes that handle sensitive information.Nuxt
Implement robust access controls and server-side validation to ensure that only authorized users can access private data. Use middleware to check user permissions, and apply encryption for sensitive data both in transit and at rest.Fastapi
Implement proper access control checks within FastAPI route handlers to ensure only authorized users can access private data. Utilize FastAPI's dependency injection system to create reusable dependencies for authentication and authorization. Additionally, consider integrating with OAuth2 or other security protocols for robust user authentication.Frappe
Implement role-based access control to restrict unauthorized access to private data in the Frappe framework.Genzio
Implement access controls and encryption to protect private data in the Genzio framework engine.Gin
Implement middleware to validate and sanitize incoming requests to prevent unauthorized access to private data in the Gin framework.Gorilla
Implement access controls and encryption to protect private data in the Gorilla framework engine.Hapi
Implement Hapi's built-in validation and authentication strategies to ensure private data is accessed only by authorized users.Hono
Implement access controls and encryption to protect private data in the Hono framework engine.Jersey
Implement access control checks to ensure that only authorized users can access private data in the Jersey framework.Koa
Implement middleware to sanitize and validate incoming requests to prevent unauthorized access to private data in the Koa framework.Ktor
Implement authentication and authorization middleware to restrict access to private data in the Ktor framework.Leptos
Implement access controls and authentication mechanisms to ensure that private data in the Leptos framework engine is only accessible to authorized users.Macaron
Implement middleware to sanitize and validate input data to prevent unauthorized access to private data in the Macaron framework.Phoenix
Implement authentication and authorization checks to ensure that private data in the Phoenix framework is only accessible to authorized users.Redwoodjs
Implement RedwoodJS's built-in authentication and authorization features to restrict access to private data.Rocket
Implement access controls and authentication mechanisms to restrict unauthorized access to private data in the Rocket framework engine.Sveltekit
Implement server-side data validation and access controls in SvelteKit to ensure private data is only accessible to authorized users.Configuration¶
Identifier:
access_control/private_data
Parameters¶
__user : A list of fieldName:[scalarValues] the user should never be able to access. Set .* as fieldName to avoid the value everywhere.
rules : (For REST) The list of private fields rules to check during a scan.
Examples¶
REST: Ensure user some-user retrieve an admin user on a list of users at GET /users¶
{
"auth": { #
... REDACTED AUTH ...
},
"users": {
... Other users ...
"some-user": { # User to check
... REDACTED AUTH ...
}
... Other users ...
}
... Other configuration settings ...
"checks": {
... Other checks ...
"AccessControl_PrivateData": {
"parameters": {
"rules": [
"user": "some-user",
"routes": [
{
"method": "GET",
"path": "/users",
"pattern": ".*admin: true.*"
}
]
]
}
}
... Other checks ...
}
... Other configuration settings ...
}
REST: Ensure user some-user cannot access the fields email with value @mycompany.com and role.group with value admin on route GET /users¶
{
"auth": { #
... REDACTED AUTH ...
},
"users": {
... Other users ...
"some-user": { # User to check
... REDACTED AUTH ...
}
... Other users ...
}
... Other configuration settings ...
"checks": {
... Other checks ...
"AccessControl_PrivateData: {
"parameters": {
"rules": [
"user": "some-user",
"routes": [
{
"method": "GET",
"path": "/users",
"fields": ["email"],
"pattern": "@mycompany.com"
},
{
"method": "GET",
"path": "/users",
"fields": ["role.group"],
"pattern": "admin"
}
]
]
}
}
... Other checks ...
}
... Other configuration settings ...
}
REST: Ensure user some-user cannot access a field admin-* on route GET /admin¶
{
"auth": { #
... REDACTED AUTH ...
},
"users": {
... Other users ...
"some-user": { # User to check
... REDACTED AUTH ...
}
... Other users ...
}
... Other configuration settings ...
"checks": {
... Other checks ...
"AccessControl_PrivateData: {
"parameters": {
"rules": [
"user": "some-user",
"routes": [
{
"method": "GET",
"path": "/admin",
"fields": ["admin-*"],
"pattern": ".*"
}
]
]
}
}
... Other checks ...
}
... Other configuration settings ...
}
Ignore this check¶
Score¶
- Escape Severity:
Compliance¶
- OWASP: API3:2023
- OWASP LLM: LLM06:2023
- pci: 3.4
- gdpr: Article-32
- soc2: CC1
- psd2: Article-32
- iso27001: A.18.1
- nist: SP800-53
- fedramp: AC-3
Classification¶
- CWE: 200
Score¶
- CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C
- CVSS_SCORE: 5.1