Headline
GHSA-9722-9j67-vjcr: Improper Authorization in Select Permissions
Due to the order in which permissions were processed, some statements, filters and computations could lead to leaking field values or record contents to users without the required permissions. This behavior could be triggered in different scenarios:
When performing a
SELECToperation on a table, the values that would be returned were iterated over, field permissions would be validated and any unauthorized value would be removed from the result returned. However, performing aSELECT VALUEoperation (e.g.SELECT VALUE private FROM data) would result in a non-iterable value, which would not be removed from the returned result.When aliasing a field (e.g.
SELECT private AS public FROM data) for which the user did not haveSELECTpermissions within aSELECTquery, permissions would be checked against the field of the resulting document containing the aliased field instead of the original document containing the original field. As a consequence, the original field value would be returned as the returned field would not match the original field where permissions had been defined.When calling a function in the context of a
SELECTquery and passing a field with permissions as an argument to the function (e.g.SELECT string::lowercase(private) FROM data), the function would receive the field value before it had been removed from the document due toSELECTpermissions. As a result, the function would have access to the value of the field regardless of field permissions. This case includes functions called from within events and other clauses that support function calling.When executing a query containing a
WHEREclause filtering records by a field that the querying user does not have access toSELECT(e.g.SELECT public FROM data WHERE private ~ "secret"), the response of that query would still take the value of the field into account. Even though the value of the protected field would not be returned, this behavior could be used as a side channel by the querying user to infer information about the value of the field.When performing
UPDATEorDELETEoperations over a table with a user that had those permissions but noSELECTpermission, theRETURN BEFOREclause could be used (e.g.DELETE data RETURN BEFORE) to read the contents of the records prior to the authorized update or the deletion despite the querying user not being authorized to performSELECToperations.When performing
UPDATEoperations on a table for which the user hadSELECTandUPDATEpermissions, theSETclause could reference fields that the user hadUPDATEbut noSELECTpermission for (e.g.UPDATE data SET public = private) in order to update the value of a field that the user had permission toSELECTto the value of another field for which the user did not.
Impact
Clients that were authorized by table permissions to execute SELECT statements for a table but were not authorized by field permissions to run SELECT queries for a specific field could still have been able to gain knowledge of the value of that field. Additionally, clients that were authorized to execute UPDATE or DELETE statements for a table but not authorized to execute SELECT statements for the same table may have been able to gain knowledge of the contents of records in that table. This could only be exploited by users who were already authorized to execute queries on the database with the affected table or field.
Due to its relationship with table and field permissions, which apply mainly to record users rather than system users, this issue mostly affects users relying on SurrealDB as a backend-as-a-service rather than SurrealDB as a traditional database backend.
Patches
The behavior when evaluating table or field permissions and filtering records or fields as a result of those evaluations has been improved to consider permissions before any changes to the document have been made and, when relevant, permissions after changes to the document have taken place. When a user is unauthorized to view record contents and field values by permissions, the returned documents will behave as if the record or field did not exist in order to prevent leaking any information.
- Version 2.0.4 and later are not affected by this issue.
Workarounds
Users affected by this issue and unable to update should not rely on the authorization provided by field permissions when it comes to the SELECT permission. Instead, read access to fields in affected versions should be restricted at the table level. When allowing the UPDATE or DELETE operations for records via table permissions, users should not rely of the authorization provided by the SELECT permission. Instead, users should not allow clients to UPDATE or DELETE records that they should not be able to view.
Due to the order in which permissions were processed, some statements, filters and computations could lead to leaking field values or record contents to users without the required permissions. This behavior could be triggered in different scenarios:
When performing a SELECT operation on a table, the values that would be returned were iterated over, field permissions would be validated and any unauthorized value would be removed from the result returned. However, performing a SELECT VALUE operation (e.g. SELECT VALUE private FROM data) would result in a non-iterable value, which would not be removed from the returned result.
When aliasing a field (e.g. SELECT private AS public FROM data) for which the user did not have SELECT permissions within a SELECT query, permissions would be checked against the field of the resulting document containing the aliased field instead of the original document containing the original field. As a consequence, the original field value would be returned as the returned field would not match the original field where permissions had been defined.
When calling a function in the context of a SELECT query and passing a field with permissions as an argument to the function (e.g. SELECT string::lowercase(private) FROM data), the function would receive the field value before it had been removed from the document due to SELECT permissions. As a result, the function would have access to the value of the field regardless of field permissions. This case includes functions called from within events and other clauses that support function calling.
When executing a query containing a WHERE clause filtering records by a field that the querying user does not have access to SELECT (e.g. SELECT public FROM data WHERE private ~ “secret”), the response of that query would still take the value of the field into account. Even though the value of the protected field would not be returned, this behavior could be used as a side channel by the querying user to infer information about the value of the field.
When performing UPDATE or DELETE operations over a table with a user that had those permissions but no SELECT permission, the RETURN BEFORE clause could be used (e.g. DELETE data RETURN BEFORE) to read the contents of the records prior to the authorized update or the deletion despite the querying user not being authorized to perform SELECT operations.
When performing UPDATE operations on a table for which the user had SELECT and UPDATE permissions, the SET clause could reference fields that the user had UPDATE but no SELECT permission for (e.g. UPDATE data SET public = private) in order to update the value of a field that the user had permission to SELECT to the value of another field for which the user did not.
Impact
Clients that were authorized by table permissions to execute SELECT statements for a table but were not authorized by field permissions to run SELECT queries for a specific field could still have been able to gain knowledge of the value of that field. Additionally, clients that were authorized to execute UPDATE or DELETE statements for a table but not authorized to execute SELECT statements for the same table may have been able to gain knowledge of the contents of records in that table. This could only be exploited by users who were already authorized to execute queries on the database with the affected table or field.
Due to its relationship with table and field permissions, which apply mainly to record users rather than system users, this issue mostly affects users relying on SurrealDB as a backend-as-a-service rather than SurrealDB as a traditional database backend.
Patches
The behavior when evaluating table or field permissions and filtering records or fields as a result of those evaluations has been improved to consider permissions before any changes to the document have been made and, when relevant, permissions after changes to the document have taken place. When a user is unauthorized to view record contents and field values by permissions, the returned documents will behave as if the record or field did not exist in order to prevent leaking any information.
- Version 2.0.4 and later are not affected by this issue.
Workarounds
Users affected by this issue and unable to update should not rely on the authorization provided by field permissions when it comes to the SELECT permission. Instead, read access to fields in affected versions should be restricted at the table level. When allowing the UPDATE or DELETE operations for records via table permissions, users should not rely of the authorization provided by the SELECT permission. Instead, users should not allow clients to UPDATE or DELETE records that they should not be able to view.
References
- GHSA-9722-9j67-vjcr
- surrealdb/surrealdb#2161
- surrealdb/surrealdb#3924
- surrealdb/surrealdb#4785
- surrealdb/surrealdb#4800
- surrealdb/surrealdb#4873
- surrealdb/surrealdb@439ab99
- surrealdb/surrealdb@c382fa1
- surrealdb/surrealdb@e75e773
- https://surrealdb.com/docs/surrealdb/security/summary#permissions
- https://surrealdb.com/docs/surrealql/statements/define/field#setting-permissions-on-fields
- https://surrealdb.com/docs/surrealql/statements/define/table#defining-permissions