You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
// TODO: this could lead to data disclosure - we should only return the fields that are actually needed
$data = $this->toMap();
$data['typeKey'] = $typeKey;
unset($data['ClassName']);
unset($data['RecordClassName']);
$data['Title'] = $this->getTitle();
return$data;
}
Extra context
Being able to JSON serialise Links used to be a big deal because all the data was being passed via JSON string. It's a much smaller concern now.
Link used to extend the JsonSerializable interface. JsonSerializable::jsonSerialize() allows you to customise how an object gets represented when json_encode is called on it.
I would strongly suggest either:
Reimplementing the JsonSerializable interface if there's still a need to be able to json serialise Links ... and using json_encode instead of directly calling jsonSerialize directly.
Rename jsonSerialize to a more descriptive name if it's not actually serializing the Link.
The following code exists in Link::jsonSerialize()
The code is called as part of
LinkFieldController::linkData()
Data disclosure could happen when custom links or extensions to existing links add data columns that are not supposed to be shown in the CMS
Instead of using the 'include everything' approach, we should have an explicit list of fields returned. The list should be extensible.
Acceptance criteria
Link::jsonSerialize()
and confirm what its used for and if it's returning fields that aren't needed.jsonSerialize
and/or related method to only returned needed fields.Affected code snippet
silverstripe-linkfield/src/Models/Link.php
Lines 206 to 224 in c75615f
Extra context
JsonSerializable
interface.JsonSerializable::jsonSerialize()
allows you to customise how an object gets represented whenjson_encode
is called on it.JsonSerializable
interface if there's still a need to be able to json serialise Links ... and usingjson_encode
instead of directly callingjsonSerialize
directly.jsonSerialize
to a more descriptive name if it's not actually serializing the Link.PRs
The text was updated successfully, but these errors were encountered: