Private data

Description

According to the rules provided in the configuration file, private data can be accessed by unauthorized users.

Remediation

The best way to ensure that private data can only be accessed by authorized users is by implementing a proper access control system. To do so, access control must be applied to every object and every link in the graphQL schema.

Apollo

See Apollo's Access Control documentation. For large scale applications, you'll want to use a specific package like GraphQL Shield for quick and easy Access Control management.

Awsappsync

Appsync provides several methods for protecting critical information.

To learn more on implementing fine-grained access control, head over to https://docs.aws.amazon.com/appsync/latest/devguide/security-authz.html#fine-grained-access-control.

Hasura

See Hasura's detailed documentation for Authorization Management.

Configuration

CheckId: access_control/private_data

Parameters

user : A list of fieldName:[scalarValues] the user should never be able to access. Set .* as fieldName to avoid the value everywhere.

{'__user': [{'**value**': ['**value**']}]}

Examples

Ignoring this check

{
    "checks": {
        "access_control/private_data": {
            "skip": true
        }
    }
}

Score

Escape Severity: HIGH
OWASP: A03:2023
PCI DSS: 6.5.8
CWE
- 200
- 201
- 284
- 668
- 1198
- 1212
- 1220
WASC: 22

CVSS

CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C
CVSS_SCORE: 5.1

References

https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html

Private data

Description​

Remediation​

Configuration​

Parameters​

Examples​

Ignoring this check​

Score​

CVSS​

References​