Your sensitive information deserves the utmost protection, and we're excited to announce a significant update to address potential data exposure risks in DatoCMS projects.
The problem
Previously, if you had an API token with limited permissions and made a GraphQL introspection query to our Content Delivery API, you could inadvertently reveal sensitive project details beyond the token's scope. This vulnerability could expose private information such as model names, fields, and their interconnections.
To further illustrate the issue and the impact of the update, here's an example:
{blackFridayOffer {perOrderDiscount}}
Let's say you have an API token that only has permissions to view the "blog articles" model in your DatoCMS project. Previously, when you made a GraphQL request for something inaccessible, the response simply showed a lack of data, but without explicitly hiding any related fields:
{"data": {"blackFridayOffer": null}}
Sure, no data is spilling out, but the mere existence of the blackFridayOffer
field in the project's schema is a subtle hint that there's some Black Friday intel lurking about, potentially even a per-order discount. That could be information you'd rather keep under wraps.
The Solution
As of today, all new DatoCMS projects will ensure enhanced security by implementing a new behavior. If an API token can only access specific models, inaccessible GraphQL fields will be completely hidden from the GraphQL schema and response, eliminating any potential information exposure.
The same query would result in an error:
{"errors": [{"message": "Field 'blackFridayOffer' doesn't exist on type 'Query'","path": ["query","blackFridayOffer"]}]}
By concealing the inaccessible field, the response no longer reveals any information about the Black Friday offer, safeguarding against potential data exposure risks.
Migrating Existing Projects
If you have an existing project that you'd like to update, you can easily do so from the "Available Updates" section of your environment configuration, as shown in this video:
We strongly recommend testing the effects in a sandbox environment before applying the change to your primary environment, as this update cannot be undone.