API data leak even using proxies?

Hello, I’m actually using proxies to GET/POST information into Airtable from a mobile app.

Proxies use the “&field” filter, so the GET response only contains a limited number of fields in the response. This is the approach I have seen suggested around the forum to return a limited number of fields.

It comes to my surprise, that if “?id=record_id” is added to a proxied endpoint, no matter what “field” filters are included in the proxy internals they are bypassed and all fields from the record are returned.

With all the fields returned, there are dozens of linked records from other tables. It comes again, to my surprise, that, if any of the linked record id’s from other tables are appended to the proxied url ?id=linked_record_id, then the linked record is fully returned (with all its fields).

This creates a huge security issue on my app if exploited and I have seen no documentation, comments or security practices about it anywhere or ways to solve this situation. Any clue? Is anyone having the same problem?

As a live example:

  • GET https://proxied_url?filterByFormula=recordid=example_recordid

Returns only the filtered fields I set up in the proxy from that example record id.

  • GET https://proxied_url

Returns filtered fields and all the records from the table.

But things go weird if I retrieve:

  • https://proxied_url?id=example_recordid

OR

  • https://proxied_url?filterByFormula=recordid=example_recordid&id=example_recordid

Which returns the full record, even I would add the filterByFormula inside the proxy.
To make it worse, if I point a linked link record:

  • https://proxied_url?filterByFormula=recordid=example_recordid&id=linked_recordid

It returns full data from the record id from another table.

Finally since that linked record, has, at the same time dozens of linked records from several orders, I can easily get full records of each order that has been created from that product.

Basically the worse nightmare if I would be trying to protect my customers data.

The question is…how do you guys solve this mess? can you point me to somewhere where I can get some rational explanation about this and how to avoid it?

This topic was solved and automatically closed 15 days after the last reply. New replies are no longer allowed.