backstage icon indicating copy to clipboard operation
backstage copied to clipboard

Published 20 hours ago verified publisher icon backstage

🐛 Bug Report: information disclosure in error response at the Bazaar plugin

Open pjungermann opened this issue 1 year ago • 4 comments

📜 Description

If a request fails at the server side, e.g., due to a project ID used which does not exist.

👍 Expected behavior

No database structure is disclosed.

👎 Actual Behavior with Screenshots

The database structure of this plugin is disclosed

{
    "error": {
        "name": "error",
        "message": "insert into \"members\" (\"item_id\", \"picture\", \"user_id\", \"user_ref\") values ($1, $2, $3, $4) - insert or update on table \"members\" violates foreign key constraint \"members_item_id_foreign\"",
        "length": 259,
        "severity": "ERROR",
        "code": "23503",
        "detail": "Key (item_id)=(7) is not present in table \"metadata\".",
        "schema": "public",
        "table": "members",
        "constraint": "members_item_id_foreign",
        "file": "ri_triggers.c",
        "line": "2539",
        "routine": "ri_ReportViolation"
    },
    "request": {
        "method": "PUT",
        "url": "/projects/7/member/Guest"
    },
    "response": {
        "statusCode": 500
    }
}

👟 Reproduction steps

const invalidProjectId = 1234;
const newMember = 'anything';
fetch("`${backstageBaseUrl}/api/bazaar/projects/${invalidProjectId}/member/${newMember}`, {
  "method": "PUT",
  "body": "{}"
});

📃 Provide the context for the Bug.

No response

🖥️ Your Environment

Backstage 1.18.4

"@backstage/plugin-bazaar-backend": "^0.3.2

👀 Have you spent some time to check if this bug has been raised before?

  • [X] I checked and didn't find similar issue

🏢 Have you read the Code of Conduct?

Are you willing to submit PR?

None

pjungermann avatar Oct 10 '23 14:10 pjungermann

In general, the plugin does not use UUID as an ID type/format and members can be anything, is not a ref to a user entity.

pjungermann avatar Oct 10 '23 14:10 pjungermann

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

github-actions[bot] avatar Dec 09 '23 15:12 github-actions[bot]

👍 , noting that I think we could also apply the more general solution of filtering out any knex errors in our error handling middleware and instead logs it in some useful way instead.

Rugvip avatar Dec 12 '23 10:12 Rugvip

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

github-actions[bot] avatar Feb 10 '24 10:02 github-actions[bot]