Headline
CVE-2023-40027: Fix `ui.isAccessAllowed` when `undefined` to prevent access by dcousens · Pull Request #8771 · keystonejs/keystone
Keystone is an open source headless CMS for Node.js — built with GraphQL and React. When ui.isAccessAllowed is set as undefined, the adminMeta GraphQL query is publicly accessible (no session required). This is different to the behaviour of the default AdminUI middleware, which by default will only be publicly accessible (no session required) if a session strategy is not defined. This vulnerability does not affect developers using the @keystone-6/auth package, or any users that have written their own ui.isAccessAllowed (that is to say, isAccessAllowed is not undefined). This vulnerability does affect users who believed that their session strategy will, by default, enforce that adminMeta is inaccessible by the public in accordance with that strategy; akin to the behaviour of the AdminUI middleware. This vulnerability has been patched in @keystone-6/core version 5.5.1. Users are advised to upgrade. Users unable to upgrade may opt to write their own isAccessAllowed functionality to work-around this vulnerability.
- Fixes GHSA-9cvc-v7wm-992c
Please see the security vulnerability report for an up-to-date description and work-around if you can’t update.
What happened
The default AdminUI middleware prevents access to the AdminUI if
- a session strategy configuration has been defined, and
- context.session is undefined or falsey
This is not what happens for the adminMeta GraphQL query, which falls back on public access when isAccessAllowed is undefined.
The GraphQL and AdminUI middleware behaviour should be the same.
We haven’t committed or documented what the behaviour should be, so what we fall back on is open ended.
In this pull request, I have opted to fall back to the same behaviour as the default Admin UI middleware, as the behaviour that users would have observed and probably expect.
Related news
### Summary When `ui.isAccessAllowed` is `undefined`, the `adminMeta` GraphQL query is publicly accessible, that is to say, no session is required for the query. This is different to the behaviour of the default AdminUI middleware, which by default will only be publicly accessible if a `session` strategy is not defined. ### Impact This vulnerability does not affect developers using the `@keystone-6/auth` package, or any users that have written their own `ui.isAccessAllowed` (that is to say, you are unaffected if `ui.isAccessAllowed` is defined). This vulnerability does affect developers who thought that their `session` strategy will, by default, enforce that `adminMeta` is inaccessible by the public in accordance with that strategy; akin to the behaviour of the AdminUI middleware. ### Patches This vulnerability has been patched in `@keystone-6/core` version `5.5.1`. ### Workarounds You can opt to write your own `isAccessAllowed` to work-around this vulnerability. ### References ...