ApostropheCMS Authorization Bypass Vulnerability in Piece-Type REST API

An authorization bypass vulnerability has been identified in ApostropheCMS versions 4.28.0 and prior. The issue resides in the `getRestQuery` method of the `@apostrophecms/piece-type` module`. This vulnerability allows an unauthenticated attacker to bypass the `publicApiProjection` restrictions set by the administrator, leading to unauthorized disclosure of sensitive fields in publicly queryable documents. The vulnerability arises because the method processes user-supplied projection parameters before performing necessary permission checks, allowing attackers to manipulate the projection state and access restricted information.

Impact

Exploitation of this vulnerability allows unauthorized access to fields in publicly queryable documents that the administrator has restricted from the public API. This could include sensitive information such as internal notes, draft content, or metadata.

Reproduction

To reproduce this vulnerability, send a REST API request to a piece-type endpoint (e.g., `article`) with a `project` query parameter that includes fields restricted by the `publicApiProjection`. The `getRestQuery` method will process the request, skipping the projection enforcement and exposing the restricted fields in the response.

Remediation

Users can upgrade to ApostropheCMS version 4.29.0, where this vulnerability has been fixed.