Skip to content

Private fields

Description

According to the rules provided in the configuration file, objects and object fields can be accessed by unauthorized users.

Remediation

When accessing the application through GraphQL, it is important to validate whether or not the user is given access to the requested elements from the schema. Access control policies must therefore be implemented on every path of the Graph leading to the given field or object.

The authorization logic belongs to the business logic layer, and from there it is accessed by GraphQL. This way, the application can have a single source of truth for authorization, which can then be used for other access points.

Among the several access control policies that can be implemented in an application, the two most popular ones are Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC).

  • With Role-Based Access Control, permissions are granted based on roles which are later assigned to the users. For instance, WordPress has an administrator role with access to all resources, and the editor, author, contributor, and subscriber roles which each restrict permissions in various degrees, such as being able to create and publish a blog post, just create it, or simply read it.

  • With Attribute-Based Access Control, permissions are granted based on metadata that can be assigned to different entities including users, assets, or environment conditions (the time of the day or the visitor's IP address for example). In the WordPress example, the capability edit_others_posts is used to validate whether or not the user can edit other users' posts.

For most use cases, ABAC is preferable to RBAC as it allows for finely tuned permissions with explicit goals.

GraphQL Specific

Apollo Ensure that private fields in the Apollo framework engine are properly encapsulated and not directly accessible from outside the class. Use appropriate access modifiers like 'private' to declare fields that should not be exposed, and provide controlled access through public methods if necessary. Regularly review your codebase to adhere to the principle of least privilege, only exposing what is necessary for the operation of the application.
Yoga Ensure that all private fields in the Yoga framework engine are properly encapsulated and can only be accessed through getter and setter methods. This will help maintain the integrity of the data and prevent unauthorized access or modification of the internal state. Additionally, consider using TypeScript or similar tools that provide better support for private fields and enhance type safety in your codebase.
Awsappsync Ensure that all sensitive data, such as API keys and user credentials, are stored in AWS Secrets Manager or another secure storage service. Do not hardcode sensitive information within the AWS AppSync resolvers or schema definitions. Implement fine-grained access control using AWS Identity and Access Management (IAM) to restrict who can access the AppSync API and what actions they can perform. Regularly audit and rotate credentials to minimize the risk of unauthorized access.
Graphqlgo Ensure that private fields in your GraphQL schema are properly encapsulated and are not exposed through the API. Implement field-level permissions and use schema directives to control access to sensitive data. Regularly review your schema and resolver functions to verify that private fields are only accessible to authorized users.
Graphqlruby In the GraphQL Ruby framework, ensure that private fields are not inadvertently exposed through the API. Use the `private` keyword to define private fields within your Ruby classes, and apply proper scoping rules to control access. Additionally, leverage the built-in visibility feature of GraphQL Ruby to control field visibility at the schema level. This can be done by defining visibility methods or using the `visible?` method on field definitions to determine if a field should be accessible to the current querying user. Always include tests to verify that private fields are not exposed to unauthorized users.
Hasura Ensure that all sensitive fields are marked as private in the Hasura schema and access permissions are properly configured to prevent unauthorized access to private fields.
Agoo Implement access control checks to ensure that only authorized users can access private fields in objects, according to the rules specified in the configuration file.
Ariadne Implement access control checks to ensure that only authorized users can access private fields in the Ariadne framework engine.
Caliban Ensure that all private fields in the Caliban framework engine are properly encapsulated and access is restricted to authorized users only.
Dgraph Implement access control lists (ACLs) to restrict unauthorized access to objects and object fields in the Dgraph framework.
Dianajl Implement access control mechanisms to restrict unauthorized access to objects and object fields in the Dianajl framework engine.
Directus Implement role-based access control to ensure that only authorized users can access specific objects and object fields in the Directus framework.
Flutter Ensure that sensitive data in Flutter applications is stored in private fields and accessed through secure methods to prevent unauthorized access.
Graphene Implement access control checks to ensure that only authorized users can access private fields in the Graphene framework.
Graphqlapiforwp Implement access control checks to ensure that only authorized users can access specific objects and object fields in the GraphQL API for WP framework.
Graphqlgophergo Implement access control checks to ensure that only authorized users can access specific objects and object fields in the GraphQLGopherGo framework.
Graphqljava Implement field-level authorization checks in the GraphQL Java framework to ensure that only authorized users can access specific object fields.
Graphqlphp Implement field-level authorization checks in the GraphQLPHP framework to ensure that only authorized users can access specific objects and object fields.
Graphqlyoga Implement access control mechanisms to restrict unauthorized access to objects and object fields in the GraphQL Yoga framework. Ensure that only authenticated and authorized users can query sensitive data by defining appropriate permissions and using middleware to enforce these rules.
Hypergraphql Implement access control mechanisms to restrict unauthorized access to objects and object fields in the HyperGraphQL framework.
Jaal Implement access control mechanisms to restrict unauthorized access to objects and object fields in the Jaal framework engine.
Juniper Implement access controls to restrict unauthorized access to objects and object fields in the Juniper framework engine.
Lacinia Ensure that private fields in the Lacinia framework are properly secured by implementing access control mechanisms and validating user permissions before granting access.
Lighthouse Implement access controls to restrict unauthorized access to objects and object fields according to the configuration rules.
Mercurius Implement access control checks to ensure that only authorized users can access private fields in the Mercurius framework engine.
Morpheusgraphql Implement access control mechanisms to restrict unauthorized access to objects and object fields in the Morpheus GraphQL framework.
Qglgen Ensure that private fields in the gqlgen framework are properly secured by using access control mechanisms to restrict unauthorized access.
Sangria Ensure that private fields in the Sangria framework are properly secured by implementing access control mechanisms and using field-level authorization to restrict access to sensitive data.
Shopify Implement access controls to ensure that only authorized users can access private fields in the Shopify framework engine.
Stepzen Implement access control rules to restrict unauthorized access to objects and object fields in the StepZen framework.
Strawberry Ensure that private fields in the Strawberry framework engine are properly encapsulated and access is restricted to authorized users only, by using access modifiers and implementing authentication checks.
Tartiflette Implement access control mechanisms to restrict unauthorized access to objects and object fields in the Tartiflette framework.
Wpgraphql Implement field-level authorization checks to ensure that only authorized users can access specific object fields in the WPGraphQL framework.

REST Specific

Asp_net Ensure that all sensitive fields within objects are marked as private and utilize proper encapsulation. Implement strong access control checks within the ASP.NET framework to prevent unauthorized access to object fields. Regularly review your codebase for adherence to the principle of least privilege and update your access control mechanisms accordingly.
Ruby_on_rails In Ruby on Rails, ensure that private fields are not exposed to unauthorized users by using strong parameters. Implement `attr_accessor` for fields that should be modifiable and use `private` or `protected` keywords for sensitive fields. Leverage the `before_action` callback to check user permissions before granting access to certain controller actions. Additionally, employ the `current_user` method to verify user identity and scope queries to the current user's accessible data using Active Record associations and scopes.
Next_js Ensure that all sensitive fields within your Next.js application are declared as private class fields or encapsulated within modules, and utilize proper access control checks before exposing any user data. Implement server-side authentication and authorization mechanisms to restrict access to private fields based on user roles and permissions. Regularly audit your codebase to adhere to the principle of least privilege, and keep your access control logic up-to-date with the latest security practices.
Laravel In Laravel, ensure that you are using Eloquent's built-in methods for data access and manipulation, which automatically protect against unauthorized access. Implement proper authentication and authorization checks using middleware, policies, and gates to control access to private fields and objects. Additionally, use Laravel's Mass Assignment protection by defining `$fillable` or `$guarded` properties on your models to prevent unauthorized updates to sensitive fields.
Express_js Ensure that all private fields in Express.js applications are properly encapsulated and not directly accessible from the client side. Implement middleware for authentication and authorization checks to restrict access to sensitive object fields based on user roles and permissions. Use closures or Symbols in JavaScript for true privacy, and consider leveraging Object.defineProperty() to create private fields with getters and setters. Regularly review your codebase for accidental global variable leaks and enforce strict access control policies in your application logic.
Django Ensure that Django models use the appropriate field-level permissions and queryset filtering to prevent unauthorized access to private fields. Implement Django's built-in authentication and permission classes, and override `get_queryset` in your views to filter data based on the current user's permissions.
Symfony In the Symfony framework, ensure that access to private object fields is controlled by using the built-in security features. Define access control rules in 'security.yaml', use Voters for fine-grained permissions, and leverage the 'security.authorization_checker' service to explicitly check access rights in your code. Additionally, avoid exposing sensitive fields through serialization groups when using the Serializer component.
Spring_boot Ensure that the Spring Boot application uses proper access modifiers for fields and methods. Leverage the `@JsonIgnore` annotation to prevent sensitive fields from being serialized and exposed in responses. Implement method-level security with `@PreAuthorize` or `@Secured` annotations to restrict access to API endpoints based on user roles or permissions. Additionally, use Spring Security's ACL module for fine-grained access control over domain objects.
Flask Ensure that Flask routes that handle sensitive data are protected with appropriate authentication and authorization checks. Use Flask extensions like Flask-Login or Flask-Security for user session management, and decorators such as @login_required to restrict access to private fields. Additionally, validate and sanitize all user inputs to prevent injection attacks.
Nuxt Ensure that all private fields in Nuxt.js components are properly encapsulated and not exposed to the client side. Use the Vue.js data function for component-specific state and computed properties for derived state. Avoid using or modifying the window object directly, and utilize Nuxt.js modules or plugins to manage global state and side-effects.
Fastapi Ensure that all endpoint handlers in FastAPI validate user permissions before accessing or modifying private fields. Implement role-based access control (RBAC) and use dependency injection to verify the user's role at the start of each request. Additionally, consider using Pydantic models to explicitly define which fields are accessible for reading or writing based on the user's role.
Frappe Implement role-based access control to ensure that only authorized users can access specific objects and object fields in the Frappe framework.
Genzio Implement access control checks to ensure that only authorized users can access private fields in the Genzio framework engine.
Gin Implement middleware to enforce access control on object fields, ensuring only authorized users can access sensitive data in the Gin framework.
Gorilla Implement access controls to restrict unauthorized access to objects and object fields according to the configuration rules.
Hapi Implement access control checks to ensure that only authorized users can access private fields in objects within the Hapi framework.
Hono Implement access control mechanisms to ensure that only authorized users can access private fields in objects, following the rules specified in the configuration file.
Jersey Ensure that private fields in Jersey framework resources are properly encapsulated and accessed through secure methods to prevent unauthorized access.
Koa Implement middleware to restrict access to private fields in Koa framework
Ktor Ensure that private fields in Ktor applications are properly encapsulated and accessed only through secure methods, implementing access controls and validation to prevent unauthorized access.
Leptos Implement access control checks to ensure that only authorized users can access private fields in the Leptos framework.
Macaron Ensure that private fields in the Macaron framework are properly encapsulated and access is restricted to authorized users only by using access modifiers and implementing authentication checks.
Phoenix Ensure that sensitive data in Phoenix framework is protected by using private fields and access controls to prevent unauthorized access.
Redwoodjs Implement RedwoodJS's built-in access control mechanisms to restrict unauthorized access to objects and object fields, ensuring that only authenticated and authorized users can access sensitive data.
Rocket Implement access control mechanisms to restrict unauthorized access to objects and object fields in the Rocket Framework engine.
Sveltekit Implement access control checks to ensure that only authorized users can access specific objects and object fields in the SvelteKit framework.

Configuration

Identifier: access_control/private_fields

Options

  • empty_values_are_positive : When the API returns a None value without error is the field considered to be successfully accessed ?

Parameters

__user : (For Graphql) An object {objectName:[fieldName]} represting object fields that the user is not supposed to have access to.

rules : (For REST) The list of private fields rules to check during a scan.

Examples

GraphQL: Accessiblity of private objects in a GraphQL API for not authenticated users.

{
  "auth": {
    "public": {                      #
      "tech": "public"               # Default value on a new application
    },                               #
    ... REDACTED AUTH ...
  },
  "users": {
    "public": {                      #
      "auth": "public"               # Default value on a new application
    },                               #
    "exampleUser": {
      ... REDACTED AUTH ...
    }
  }
  ... Other configuration settings ...

  "checks": {

    ... Other checks ...

    "access_control/private_fields": {
      "public": {                    <--- Triggering on a "users" object key
        "Query": [                   <--- Object name
          "getUsersById",            <--- Field name
          "getAllUsers"              # Here, the public user is not supposed to
                                      #  have access to the "getUsersById" and "getAllUsers" queries.
        ],
        "Mutation": [
          ...
        ],
        "User": [                    docs
          "id"                       # Here, the public user is not supposed to
                                      #  have access to the "id" field of the "User" object
        ]
      }
    }

    ... Other checks ...
  }

  ... Other configuration settings ...
}

REST: Ensure user some-user cannot access the routes GET /admin and PUT /user/role/{roleId}

{
  "auth": {                       #
    ... REDACTED AUTH ...
  },
  "users": {
    ... Other users ...
    "some-user": {                # User to check
      ... REDACTED AUTH ...
    }
    ... Other users ...
  }
  ... Other configuration settings ...

  "checks": {

    ... Other checks ...

    "AccessControl_PrivateFields": {
      "parameters": {
        "rules": [
          "user": "some-user",
          "routes": [
            {
              "method": "GET",
              "path": "/admin"
            },
            {
              "method": "GET",
              "path": "/admin/.*"             # Regex are supported
            },
            {
              "method": "PUT",
              "path": "/user/role/{roleId}"
            }
          ]
        ]
      }
    }

    ... Other checks ...
  }

  ... Other configuration settings ...
}

REST: Ensure user some-user cannot access the fields email and credentials.apiKey route GET /admin

{
  "auth": {                       #
    ... REDACTED AUTH ...
  },
  "users": {
    ... Other users ...
    "some-user": {                # User to check
      ... REDACTED AUTH ...
    }
    ... Other users ...
  }
  ... Other configuration settings ...

  "checks": {

    ... Other checks ...

    "AccessControl_PrivateFields": {
      "parameters": {
        "rules": [
          "user": "some-user",
          "routes": [
            {
              "method": "GET",
              "path": "/admin",
              "fields": [
                "email",
                "credentials.apiKey"
              ]
            }
          ]
        ]
      }
    }

    ... Other checks ...
  }

  ... Other configuration settings ...
}

REST: Ensure user some-user cannot access a field admin-* on route GET /admin

{
  "auth": {                       #
    ... REDACTED AUTH ...
  },
  "users": {
    ... Other users ...
    "some-user": {                # User to check
      ... REDACTED AUTH ...
    }
    ... Other users ...
  }
  ... Other configuration settings ...

  "checks": {

    ... Other checks ...

    "AccessControl_PrivateFields": {
      "parameters": {
        "rules": [
          "user": "some-user",
          "routes": [
            {
              "method": "GET",
              "path": "/admin",
              "fields": [
                "admin-*",
              ]
            }
          ]
        ]
      }
    }

    ... Other checks ...
  }

  ... Other configuration settings ...
}

Ignore this check

checks:
  access_control/private_fields:
    skip: true

Score

  • Escape Severity:

Compliance

  • OWASP: API1:2023
  • OWASP LLM: LLM06:2023
  • pci: 7.1
  • gdpr: Article-32
  • soc2: CC1
  • psd2: Article-95
  • iso27001: A.18.1
  • nist: SP800-53
  • fedramp: AC-6

Classification

  • CWE: 284

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C
  • CVSS_SCORE: 5.1

References