Support Topics Documentation Slack YouTube Blog

Security concern with relation depth

app id: 8C7488E9-5871-4A47-AE5E-2E43E03B85FC

Following a request from Mark to describe the problem here, I’m adding more information.

Unless I did something incorrectly, I managed to query data from a table my role explicitly not allowed to using relation depth. I sent an email with reproducible scenario.

Hello @Eran_Sakal

Thank you for the report, I just created an internal ticket BKNDLSS-23883 to investigate the issue.

Regards, Vlad

1 Like

@vladimir-upirov it seems to happen also with properties and relations.

/data/Children?property=organization.portalPassword%20as%20portalPassword

It might be relevant also for sub relations queries. I sent another reproducible senario video to you email.

Vladimir, can you update about this issue?

Hi, @Eran_Sakal

Sorry for the long reply. We have created a ticket (BKNDLSS-23883) for both cases described. Thanks for you issues. Our developers are already working on a fix. We will let you know when it is ready.

Regards,
Marina