Security incident: Data leaking when fields are used in action visibility checks

Rekrt · April 17, 2024, 4:25pm

Today, we noticed that fields that are used in an action’s visibility check are delivered to the user’s browser as part of the record XHR call. For us this is a severe security issue because internal fields are exposed.

Steps to reproduce:

Create a record details page
Add an action with a visibility condition connected to a secret field value (e.g. an internal status field)
Check the AJAX response for the record

Actual result:
The value of the secret field is exposed to the user’s browser as part of the XHR response body.

Expected result:
Only fields that are actually displayed are delivered to the user.

artur · April 17, 2024, 8:04pm

@Rekrt we are using action button visibility rule properties to check in UI as well as in backend so we need this in UI too… when you update a value on single record in a list and we need to hide that button on that record specifically we need to evaluate on frontend… I would suggest you to use derived field then for condition… button visibility is checked in UI and in Backend if we check in backend only then button will be there and click will trigger error…