SurrealDB: Authenticated callers can read fields hidden by field-level SELECT permissions via error messages
📋 Description
A record user with UPDATE access could read field values that field-level SELECT permissions hid from them. Arithmetic operators and extend embedded the raw operand into their error messages, and UPDATE permission checks evaluate against the unreduced document — so triggering such an error against a hidden field returned its value in the resulting error.
Impact
A record user issues an UPDATE that performs an incompatible operation against a hidden field — e.g. UPDATE person:me SET probe = email + 1 when email is a string — and reads the value from the returned error (Tried to compute "[email protected]" + 1 …). One field per operation, but the attacker can repeat against any field on any record they can UPDATE.
Patches
A patch has been introduced that replaces the raw operand in every try_* operator and in extend with the operand's type name ("string", "int", "array", etc.).
- Versions 3.1.0 and later are not affected by this issue.
Workarounds
Affected users who are unable to update should not grant UPDATE permission on records whose field-level SELECT permissions are expected to hide values from the same caller.
🎯 Affected products1
- rust/surrealdb:< 3.1.0