Hi all
I’m not quite sure if I look at it the wrong way or there’s a security bug in the workflow condition security. I’m referring to this here:
Privacy rules do not apply to modifying data through workflows. If you only want certain users to modify data, you can add a condition on the workflow’s events and actions. These conditions are checked on the server, so this is just as secure as setting up privacy rules for modifying data through auto-binding.
Link to Bubble Docs
Setup DB - Test Data
I setup a public and private data type for testing.
Setup DB - User & Admin
I have an admin boolean flag on the user type. This one is not visible to the user’s own data rule.
I also setup up an admin data type that has a list of users (the admins)
Setup Page
There’s 2 input forms.
One to edit existing public data. that’s why it’s already visible (“title” and “desc”).
One form to edit existing private data (only accessible for admin through privacy rules). That’s not visible thanks to privacy rules.
Setup workflow security (2 buttons)
> The workflow security concern in question < The modifying action is secured in the condition with the flag (boolean) set up on the user type. As of my understanding, this condition will be checked on the server-side, not client-side.
The second workflow is the alternative way we found to be more secure. The condition checks the Admin DB for a current user match. This is secure as the privacy rules take effect and workflow security comes secondary.
The penetration test
Now that’s what we did to overrule the admin flag on the current user (funny enough, it only works when you accept the cookie notice).
- Download the chrome extension “chrome response override”
- Visit the page with workflow in question. In my case: https://securityteststefan.bubbleapps.io/version-test/admin
- Open developer tools and navigate to the extension section “response override”
- Create a new override, what we used:
As you can see in the screenshot we append the boolean admin flag to the response, even though it’s initially not in there. We’re not logged in. - Save & run the override (the “save” + “>” button on the top) and refresh the page.
It should display this yellow box when active. - In form 1 > Input stuff and click save with the 2 workflow options. The (admin db) will not make the changes as it’s the secure condition variant of user match. The (admin flag) will actually work in my case and modifies the data in the database.
Privacy rules secured data: this flaw seems to be only affecting publicly visible data. That’s why the bottom form is there. Why? Because the privacy rules take effect and the boolean flag on the user can’t be overridden in privacy rules.
Again: If the cookie notice is not accepted, this won’t work. But if you accept, this flaw will actually work and people can easily edit data that is publicly available.
Am I looking at it the right way? Thanks for your opinions and let’s bring awareness to this if it’s actually a bug.