Hi!
We have received security concern from our client that password property is searchable from “Users” view through URL parameter manipulation. This is reproducible on version 2.2.0.
Step to reproduce:
-
Create new jmix project with Jmix Studio (Full stack application)
-
Run application
-
Log in and navigate to Application → Users
-
Add search condition with “Email” property.
-
Change property name in URL to “password”. For example:
/users?genericFilterCondition=property%3Apassword_contains_hash
-
Change searched value to “noop”. Hash for default user is “{noop}admin”
-
See visible row with “admin” user.
Expected result: error or no rows returned.
I tried to mitigate this by:
- Configuring property exclusion on generic filter:
<genericFilter id="genericFilter" dataLoader="usersDl">
<properties include=".*" excludeProperties="password"/>
</genericFilter>
This doesn’t work. Search is bypassing this exclusion.
- Programmaticly excluding with example from genericFilter :: Jmix Documentation.
This handler is never invoked with property “password”.
- Removing generic filter. This actually works.
From the security standpoint “password” property should not be searchable. We could automate process of retrieving entire hash stored in database.
Is there another method to block this behavior ?
Thanks.
Product version:
Jmix version: 2.2.0
Jmix Studio plugin version: 2.2.0-233
IntelliJ version: IntelliJ IDEA 2023.3.5 (Ultimate Edition)