marcel/familienarchiv
1
0
Fork 0
Code Issues 117 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

GET /api/persons leaks PersonSummaryDTO.notes to typeahead clients (CWE-200) #374

New Issue
Closed
opened 2026-04-29 16:22:31 +02:00 by marcel · 0 comments
marcel commented 2026-04-29 16:22:31 +02:00
Owner
Copy Link

Context

Surfaced during PR #373 review by Nora Steiner (@nullx) — comment #5618, concern #3.

PR #373 introduces a Tiptap-based person mention typeahead in PersonMentionEditor.svelte. The component fetches GET /api/persons?q=<query> on every keystroke after @ and renders the response in a dropdown for the transcriber.

Finding

PersonController.getPersons() returns List<PersonSummaryDTO>. The DTO interface (backend/src/main/java/org/raddatz/familienarchiv/dto/PersonSummaryDTO.java) currently exposes:

public interface PersonSummaryDTO {
    UUID getId();
    String getTitle();
    String getFirstName();
    String getLastName();
    String getPersonType();
    String getAlias();
    Integer getBirthYear();
    Integer getDeathYear();
    String getNotes();          // ← private biographical free text
    boolean isFamilyMember();
    long getDocumentCount();
    default String getDisplayName() { ... }
}

Person.notes is described in the entity itself as "Optional: Free-text biographical notes" — i.e. it is intended to hold sensitive biographical content, possibly including living-relative information, medical/personal observations, or unpublished family history.

Every transcriber typing @ in the editor causes notes for every matched person to be transmitted to the browser. A determined user can scrape all notes simply by typing single letters and inspecting the network panel — without needing direct access to the persons admin page.

This is a CWE-200 (Information Exposure) issue: the API over-exposes data the typeahead does not need.

Acceptance Criteria

  • AC-1: Carve out a typeahead-safe DTO (proposed: PersonTypeaheadDTO) returning only fields the dropdown actually renders: id, title, firstName, lastName, personType, birthYear, deathYear, displayName (derived). NO notes, NO alias, NO documentCount, NO isFamilyMember unless the typeahead UI uses them.
  • AC-2: Add a typed endpoint variant or a query-param flag (/api/persons?q=…&shape=typeahead) that returns the new DTO. The list page (/persons) keeps using the current PersonSummaryDTO.
  • AC-3: PersonMentionEditor.svelte fetch URL switches to the typeahead variant; types regenerated.
  • AC-4: Backend test: PersonControllerTest asserts the typeahead response does NOT include notes (lock down the API surface — Nora explicitly recommended this).
  • AC-5: Frontend type narrowing: replace the Person cast in the dropdown with the new typeahead-safe DTO type so a future field-leak in the wide DTO doesn't silently re-leak.

Non-functional

  • Security: this issue exists because the dropdown is the lowest-privilege caller of the persons list. The fix is "make the API caller-shape-aware" rather than "add field-level security to the wide DTO" — keeping the privileged DTO available for the persons-admin page.
  • Performance: smaller payload per keystroke. Notes can be paragraphs of text; trimming them improves typeahead responsiveness.

Out of scope

  • The full persons list page (/persons) and detail page may continue to expose notes to readers with READ_ALL permission — that is the intended privilege level for that route.
  • Audit logging on persons reads: tracked separately if/when needed.

Source

Nora Steiner, PR #373 review, 2026-04-29.

## Context Surfaced during PR #373 review by Nora Steiner (@nullx) — comment [#5618](http://heim-nas:3005/marcel/familienarchiv/pulls/373#issuecomment-5618), concern #3. PR #373 introduces a Tiptap-based person mention typeahead in `PersonMentionEditor.svelte`. The component fetches `GET /api/persons?q=<query>` on every keystroke after `@` and renders the response in a dropdown for the transcriber. ## Finding `PersonController.getPersons()` returns `List<PersonSummaryDTO>`. The DTO interface (`backend/src/main/java/org/raddatz/familienarchiv/dto/PersonSummaryDTO.java`) currently exposes: ```java public interface PersonSummaryDTO { UUID getId(); String getTitle(); String getFirstName(); String getLastName(); String getPersonType(); String getAlias(); Integer getBirthYear(); Integer getDeathYear(); String getNotes(); // ← private biographical free text boolean isFamilyMember(); long getDocumentCount(); default String getDisplayName() { ... } } ``` `Person.notes` is described in the entity itself as "Optional: Free-text biographical notes" — i.e. it is intended to hold sensitive biographical content, possibly including living-relative information, medical/personal observations, or unpublished family history. Every transcriber typing `@` in the editor causes `notes` for every matched person to be transmitted to the browser. A determined user can scrape all notes simply by typing single letters and inspecting the network panel — without needing direct access to the persons admin page. This is a CWE-200 (Information Exposure) issue: the API over-exposes data the typeahead does not need. ## Acceptance Criteria - [ ] **AC-1**: Carve out a typeahead-safe DTO (proposed: `PersonTypeaheadDTO`) returning only fields the dropdown actually renders: `id`, `title`, `firstName`, `lastName`, `personType`, `birthYear`, `deathYear`, `displayName` (derived). NO `notes`, NO `alias`, NO `documentCount`, NO `isFamilyMember` unless the typeahead UI uses them. - [ ] **AC-2**: Add a typed endpoint variant or a query-param flag (`/api/persons?q=…&shape=typeahead`) that returns the new DTO. The list page (`/persons`) keeps using the current `PersonSummaryDTO`. - [ ] **AC-3**: `PersonMentionEditor.svelte` fetch URL switches to the typeahead variant; types regenerated. - [ ] **AC-4**: Backend test: `PersonControllerTest` asserts the typeahead response does NOT include `notes` (lock down the API surface — Nora explicitly recommended this). - [ ] **AC-5**: Frontend type narrowing: replace the `Person` cast in the dropdown with the new typeahead-safe DTO type so a future field-leak in the wide DTO doesn't silently re-leak. ## Non-functional - **Security**: this issue exists because the dropdown is the lowest-privilege caller of the persons list. The fix is "make the API caller-shape-aware" rather than "add field-level security to the wide DTO" — keeping the privileged DTO available for the persons-admin page. - **Performance**: smaller payload per keystroke. Notes can be paragraphs of text; trimming them improves typeahead responsiveness. ## Out of scope - The full persons list page (`/persons`) and detail page may continue to expose `notes` to readers with `READ_ALL` permission — that is the intended privilege level for that route. - Audit logging on persons reads: tracked separately if/when needed. ## Source Nora Steiner, PR #373 review, 2026-04-29.
marcel added the P1-highbugsecurity labels 2026-04-29 16:22:37 +02:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
P0-critical
Blocks a core user journey, causes data loss, or is a security/accessibility barrier. Work on this before P1+.
 P1-high
Significant friction on a main user journey; workaround exists but is non-obvious. Next up after P0.
 P2-medium
Noticeable improvement; doesn't block anything; schedule opportunistically.
 P3-later
Cosmetic or parking-lot work; fine to stay open indefinitely.
 audit
Read-only audit / assessment work; produces a report rather than changing code
 bug
Something isn't working
 cleanup
Removal of dead code, vague comments, naming violations, and scratch artifacts
 collaboration
We want to extend the family archive to have more collaboration tools
 conversation
descoped
We will do that later
 devops
documentation
README, ARCHITECTURE, GLOSSARY, CONTRIBUTING, per-domain docs
 epic
Marker for epic-level issues that group multiple child issues
 feature
file-upload
legibility
Codebase Legibility Refactor — preparing the codebase for human evaluation and bus-factor reduction
 notification
person
phase-1: security
Security hygiene — must be done first
 phase-2: container-images
Production-ready multi-stage Docker images
 phase-3: prod-compose
Production compose overlay + Caddy reverse proxy
 phase-4: spring-prod-profile
Spring Boot production configuration profile
 phase-5: backups
Database and object storage backup strategy
 phase-6: deployment-docs
.env.example, DEPLOYMENT.md, runbook
 phase-7: monitoring
Prometheus, Loki, Grafana, Alertmanager
 refactor
Code restructuring without behaviour change
 security
test
ui
UI/UX and accessibility issues
 user
No Label P1-high bug security
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
Jens marcel
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: marcel/familienarchiv#374
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?