+ "details": "## Summary\n\nThe `choices` and `counts` query parameters in the Apostrophe CMS REST API allow unauthenticated users to extract distinct field values for any schema field that has a registered query builder, completely bypassing `publicApiProjection` restrictions that are intended to limit which fields are exposed publicly. Fields protected by `viewPermission` are similarly exposed.\n\n## Details\n\nWhen a piece type configures `publicApiProjection` to enable public API access while restricting visible fields, the restriction is enforced via a MongoDB projection on the main query (piece-type/index.js:1130-1134). However, the `choices` and `counts` query builders bypass this protection through a separate code path.\n\nThe vulnerable flow:\n\n1. `getRestQuery` at piece-type/index.js:1120 calls `applyBuildersSafely(req.query)` (line 1122), which processes query parameters including `choices` and `counts` since both have `launder` methods (doc-type/index.js:2627-2628 and 2675-2676).\n\n2. The `publicApiProjection` is applied afterward (line 1130-1134) as a MongoDB projection on the main query.\n\n3. During query execution, the `choices` builder's `after` handler (doc-type/index.js:2636-2668) iterates over requested field names. The only validation is:\n - The field has a registered builder (`_.has(query.builders, filter)` at line 2651)\n - The builder has a `launder` method (line 2656)\n\n All schema field types (string, integer, float, select, boolean, date, slug, relationship) register query builders with `launder` methods via `addQueryBuilder` in `addFieldTypes.js`.\n\n4. `toChoices` (line 2661) calls the field's `choices` function, which typically calls `sortedDistinct` → `toDistinct`. The `toDistinct` method (doc-type/index.js:2811) executes `db.distinct(property, criteria)` — a MongoDB operation that returns all distinct values for the given property matching the criteria. **MongoDB's `distinct` operation does not respect projections**; it operates directly on the specified field regardless of any projection set on the query.\n\n5. The results are stored via `query.set('choicesResults', choices)` (line 2666) and returned directly in the API response at piece-type/index.js:292-296 without any filtering against `publicApiProjection` or `removeForbiddenFields`.\n\nThe same bypass applies to `viewPermission`-protected fields: `removeForbiddenFields` (doc-type/index.js:1585-1611) only processes document results from `toArray()`, not the separate choices/counts data.\n\nThe page REST API has the same issue at page/index.js:371-376.\n\n## PoC\n\n```bash\n# Prerequisites:\n# - An Apostrophe 4.x instance with a piece type configured with publicApiProjection\n# - Example: an 'article' piece type with:\n# publicApiProjection: { title: 1, slug: 1, _url: 1 }\n# and additional schema fields like 'status' (select), 'priority' (integer),\n# or 'internalNotes' (string) NOT in the projection\n\n# 1. Verify normal API access only returns projected fields\ncurl -s 'http://localhost:3000/api/v1/article' | python3 -m json.tool\n# Response results contain only: title, slug, _url (as configured)\n\n# 2. Extract distinct values of a non-projected field via choices\ncurl -s 'http://localhost:3000/api/v1/article?choices=status' | python3 -m json.tool\n# Response includes:\n# \"choices\": {\"status\": [{\"value\": \"draft\", \"label\": \"draft\"}, {\"value\": \"published\", \"label\": \"published\"}, ...]}\n\n# 3. Extract distinct values with document counts via counts\ncurl -s 'http://localhost:3000/api/v1/article?counts=priority' | python3 -m json.tool\n# Response includes:\n# \"counts\": {\"priority\": [{\"value\": 1, \"label\": \"1\", \"count\": 15}, {\"value\": 2, \"label\": \"2\", \"count\": 8}, ...]}\n\n# 4. Multiple fields can be extracted at once\ncurl -s 'http://localhost:3000/api/v1/article?choices=status,priority,internalNotes'\n```\n\n## Impact\n\n- **Distinct field values leaked**: An unauthenticated attacker can extract all distinct values of any schema field on any piece type that has `publicApiProjection` configured, even when those fields are explicitly excluded from the projection.\n- **Field types affected**: All field types that register query builders: string, slug, integer, float, select, boolean, date, and relationship fields.\n- **Count disclosure**: The `counts` variant additionally reveals how many documents have each distinct value, providing statistical information about the dataset.\n- **viewPermission bypass**: Fields protected with `viewPermission` (intended for role-based field access) are also exposed via this path.\n- **Both APIs affected**: The piece-type REST API (piece-type/index.js:292-296) and page REST API (page/index.js:371-376) are both vulnerable.\n- **Real-world impact**: If a CMS stores sensitive data in schema fields (e.g., internal status values, priority levels, internal categories, user-facing content marked as restricted), all distinct values are extractable by any unauthenticated visitor.\n\n## Recommended Fix\n\nIn the `choices` builder's `after` handler (doc-type/index.js:2636-2668), add validation to skip fields not permitted by `publicApiProjection` and `viewPermission`:\n\n```javascript\n// doc-type/index.js, in the choices builder's after handler (line 2644 area)\nfor (const filter of filters) {\n if (!_.has(query.builders, filter)) {\n continue;\n }\n if (!query.builders[filter].launder) {\n continue;\n }\n\n // NEW: Enforce publicApiProjection restrictions on choices/counts\n const publicApiProjection = query.get('project');\n if (publicApiProjection && !publicApiProjection[filter]) {\n continue;\n }\n\n // NEW: Enforce viewPermission field restrictions\n const field = self.schema.find(f => f.name === filter);\n if (field && field.viewPermission &&\n !self.apos.permission.can(query.req, field.viewPermission.action, field.viewPermission.type)) {\n continue;\n }\n\n const _query = baseQuery.clone();\n _query[filter](null);\n choices[filter] = await _query.toChoices(filter, { counts: query.get('counts') });\n}\n```\n\nAdditionally, apply the same fix in the page REST API handler (page/index.js) for consistency.",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments