Handlers are not working on some tables

Hmm… actually I hoped that you find a bug.

I’m thinking out load how can I know that it wouldn’t happen again… maybe I need to move all my logic to services and deny direct access from outside… Do you have other suggestion?

I just want to explain my concerns. Since I implemented multi-tenant architecture I’m counting on the handlers to limit the queries to items relevant to that user. For example running the beforeFind handler will add the following to the where clause automatically:

The issue I had was that got access to information of other organizations as the beforeFind ‘*’ didn’t kick-in

Please advice
Eran

Hello @Eran_Sakal

Have you encountered the same problem after first reporting it to us?

I can also suggest that you implement this logic completely through a service in Business Logic.

Regards,
Inna

Hello Inna,
Thank you for contacting me again. It didn’t happen again but because it has huge impact on my application vulnerability (because I’m using it to enforce multi-tenancy roles) I must to something.

Unfortunately I must allow access by javascript to the application for back office so the option to use only BL is not possible.

I was thinking maybe instead creating a timer that will query some tables every 1 minutes to verify the content it receives (obviously it will use the rest api key).

But i’m wondering if I should check all the APIs exposed or only find…

It’s hard for me to say exactly how you need to redo the logic. You need to try and make your logic to the expected result. We will try to make sure that the situation that you have encountered does not repeat itself.

Regards,
Inna

Hello,
The issue happens again. If you will access my application you will be able to reproduce it now with a table named loginsAudit. Last time it resolved it self after some time so if you can check it now it would be great!

As mentioned I’m counting on those handlers to enforce multi-tenancy, without it everyone can access other tenant information.

Because it happens randomly I cannot run an API monitor to capture it, if I will do that I need to run it against all types (find, create, update) for all the tables which doesn’t make sense.

I sent an email with a screenshot of the problem.

Please advice it creates a security issue.

Eran

Hello @Eran_Sakal

Thank you for the video.
I believe it doesn’t run Bl because of Roles Permissions.
I can see that you are logged-in in the REST Console, so make sure this user has access to the data.

Regards, Vlad

That is awesome if this is the case but I just want to verify
according to the permission guide Security - Backendless REST API Documentation

Layer 8 it the last layer that affect the decision and in my application is is explicitly set to false

so in such a case you return 200 with empty array and not an error?

yes, it will return an empty array

Thank you!

@vladimir-upirov I unchecked the “solution” mark because the original issue is not related to the followup one. In the original one I saw all the records the table had because the filter I add in the beforeFind handler wasn’t added as the handler was not invoked.

I understand you correctly don’t have a way to reproduce it. For now it didn’t happen again but I keep this thread as-is if you will find a reason of if it will happen again.

If you prefer to close the thread do so

Thanks
Eran

@vladimir-upirov @mark-piller it happens again now. I sent a video to the support email.

I really need your advice here. If I’m doing something incorrectly let me know, if this is a bug I need to know that you found it and when it is going to be handled.

If you don’t think it is that important let me know so I will be able to decide how to proceed.

I LOVE Backendless and already spent so much time learning the platform, interacting with the features and building an application that should help institutes in Israel during the Corvid. Backendless provides such an amazing platform with custom code generation, powerful console, great documentation, server services, roles… what’s not. I’m amazed with its capabilities. But if it fails in the security / stability areas I’m lost.

I really hope you will find a problem on my side and I will then apologies for writing the above. Otherwise, I need you to give a hand and figure it out.

Eran

P.S
Although in Herbrew, you can see how it affect the application as user can select and set relations of cross organizations

It is my understanding that previously the handlers were not invoked because the currently logged in user didn’t have permission to the tables. So when you say it happens again, is it for the same reason?

Hi,
I had an issue with the size of the video I sent to the support, I resent it with a link to google photos.

Regarding your question, see the original problem (the first thread). I’m experiencing the same thing as the original issue which is not related to permissions. Oleg Vyalyh tried to reproduce it but when he tried to do it, the handlers already started working.

So it is not related to permission

The quality of the video I uploaded to Google is bad, I will re-send using another service

Was the original problem explained in this response?

No,
The issue I’m experiencing now it the same as the original issue of this post.

The one you are quoting is a different issue that I thought at the beginning is the same but it turned out to be a different one.

Please see the video I sent, I talk during you will see the problem there which is the same as the one I originally wrote in this ticket

@mark-piller I was (too) happy you responded fast (2 minutes after reporting the issue) but eventually it was not resolved and production is still broken.

To Summarize

  1. Backendless handlers are defined to be executed for all tables using *.
  2. Backendless execute the handlers only on some of the tables.

What it means

  1. Users see information they shouldn’t see (data leak / security concern).
  2. I need to take down the application until it is resolved although tomorrow ~150 parents should start using it.
  3. I cannot add more organizations to the application although it was architecture to support many (~2k-5k parents every day that we have school and we are not in quarantine).

What I need
I need it to be resolved either by saying to me where I did wrong in the permissions matrix or by fixing something on your side if there is a bug.

As it still happens after 10 hours, please assign someone to check it now before it will be “resolved on its own” like it happened 8 days ago. Answers like the following are not helpful:

Honestly, nothing.

and

There is one thought, that it can be related to the new release which was yesterday. Maybe some old information about tables state were cached. Anyway, now i can not say much about that.

How to reproduce

  1. enter the REST console of table Classes
  2. pick JS Api Key
  3. don’t login with a user
  4. sort by name and query getactual behavior: handlers are not triggered and I get a response with all the data on that table
  5. enter the REST console of table PickupTimes
  6. repeat steps 2-4 → actual behavior: handlers are triggered.

both table share the same permissions matrix

Eran

Please help me understand how invocation of handlers is related to a data leak?

Security in Backendless is enforced by applying roles and permissions to API operations. Invocation of business logic is irrelevant to that subject

@mark-piller
Correct me if I’m wrong - there are two types of support cloud code in Backendless: Handlers and services (and timers which are not relevant at the moment to this thread)

Services are used to extend the supported logic by the server. You can add logic and a user can call them. If the service is not called the user don’t get access to that service

Handlers can shape the response provided by the SDK. This is the only way to enforce policies and if needed to short circuit the response. Before handlers let you shape the query or modify the mutation while After handlers let you omit or add data to the SDK. There is no other way to do that and if handlers although defined are not being triggered, the user get access to the data directly.

taking from node servers, handlers are like middlewares that guard the application from exposing undesired data.

When I was planning the architecture of the multi-tenancy you responded that I can either create an application to every organization or use one instance with handlers (in slack support channel). Later someone else responded that If I need to support readonly/write logic I can add new column to user instead of using roles. Both suggestions make sense and led to the way I architecture multi-tenancy and handlers are the ‘middlewares’ that holds the magic.

This is why I consider it as data leak / security issue. Without handlers multi-tenancy doesn’t work

To summarize what you’re doing:

Issue 1.
You invoke a GET operation on a table and are getting a result. Is the expectation that the server doesn’t return data because the permission is not there?

Questions:

  • what are the names of the tables where it works and doesn’t work?
  • what are the parameters you are passing into the request?

Issue 2
You have an event handler for the find operation that applies to all tables. The handler is invoked for some tables and is not invoked for others.

Questions:

  • what tables is the handler invoked for?
  • what tables is the handler NOT invoked for?

The more precise you provide the answers, the faster we can resolve the issue.

Regards,
Mark