Closed richardpringle closed 8 years ago
Cross posting @michaelfreund's https://github.com/strongloop/loopback/issues/2398#issuecomment-224303992
it is an information leak, where model ids can be iterated to check for model existence. this might be necessary information for further attack.
@michaelfreund @zkuang @richardpringle I have submitted to alternative pull requests to fix this issue, see #315 and #316. We are discussing with @ritch what would be the best fix, our concern is backwards compatibility. Feel free to try those patches out in your app and/or leave a comment telling us your thoughts.
The fix is available in strong-remoting@2.28.1
.
@bajtos we can confirm this fixes strongloop/loopback#2220 for us.
@bajtos sorry for the late reply. I'll check them out. Thanks very much.
When making a call to
VERB api/ExampleModel/:id/operation
the ACL is only checked upon model instance discovery, otherwise you get a 404 response instead of a 401. This indicates that a record with that particularid
does not exist even if the user does not have permission to check whether particular models exists or not.