GHSA-6g9v-7gq3-p2c6
SurrealDB: Authenticated callers can read fields hidden by field-level SELECT permissions via error messages
Details
A record user with UPDATE access could read field values that field-level SELECT permissions hid from them. Arithmetic operators and `extend` embedded the raw operand into their error messages, and UPDATE permission checks evaluate against the unreduced document — so triggering such an error against a hidden field returned its value in the resulting error.
### Impact
A record user issues an UPDATE that performs an incompatible operation against a hidden field — e.g. `UPDATE person:me SET probe = email + 1` when `email` is a string — and reads the value from the returned error (`Tried to compute "alice@example.com" + 1 …`). One field per operation, but the attacker can repeat against any field on any record they can UPDATE.
### Patches
A patch has been introduced that replaces the raw operand in every `try_*` operator and in `extend` with the operand's type name (`"string"`, `"int"`, `"array"`, etc.).
- Versions 3.1.0 and later are not affected by this issue.
### Workarounds
Affected users who are unable to update should not grant UPDATE permission on records whose field-level SELECT permissions are expected to hide values from the same caller.
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 3.1.0 Upgrade surrealdb to 3.1.0 or newer (ecosystem crates.io).