Описание
When setting EntityOptions.apiPrefilter to a function, the filter is not applied to API requests for a resource by Id
Impact
If you used the apiPrefilter option of the @Entity decorator, by setting it to a function that returns a filter that prevents unauthorized access to data, an attacker who knows the id of an entity instance she is not authorized to access, can gain read, update and delete access to it.
Patches
The issue is fixed in version 0.20.6
Workarounds
Set the apiPrefilter option to a filter object instead of a function.
References
If you're using a minor version < 0.20 and require a patch, please create an issue.
Пакеты
remult
< 0.20.6
0.20.6
Связанные уязвимости
Remult is a CRUD framework for full-stack TypeScript. If you used the apiPrefilter option of the `@Entity` decorator, by setting it to a function that returns a filter that prevents unauthorized access to data, an attacker who knows the `id` of an entity instance is not authorized to access, can gain read, update and delete access to it. The issue is fixed in version 0.20.6. As a workaround, set the `apiPrefilter` option to a filter object instead of a function.