Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Magento Rest API exposing PII #39336

Open
1 of 5 tasks
shrinisadagopan opened this issue Nov 6, 2024 · 1 comment
Open
1 of 5 tasks

Magento Rest API exposing PII #39336

shrinisadagopan opened this issue Nov 6, 2024 · 1 comment
Labels
Issue: ready for confirmation Reported on 2.4.6-p8 Indicates original Magento version for the Issue report.

Comments

@shrinisadagopan
Copy link

Preconditions and environment

Magento version - 2.4.6-P8
Environment - Local, Staging and Production

Steps to reproduce

My client is using Akamai Nonames to scan the application for PII in the incoming Rest API calls and if there (like cusotmer email address) Akamai is flagging it as security vulnerability and reporting it as a bug for the developers to fix it.

For example, the following Rest API is called by headless to Adobe Commerce where they are fetching the all the orders for the customers based on their email address to display it in the order history page...since the customer email address is exists in the query parameter Nonames system is flagging it as security vulnerability and report it as high risk.

/rest/V1/orders?searchCriteria[filterGroups][0][filters][0][conditionType]=eq&searchCriteria[filterGroups][0][filters][0][field]=customer_email&searchCriteria[filterGroups][0][filters][0][value][=[email protected]]

Expected result

Akamai Nonames scan should not find any PII information in the Rest API calls

Actual result

Akamai Nonames scan is finding the PII information in the Rest API calls and flagging it as security vulnerability.

Additional information

No response

Release note

No response

Triage and priority

  • Severity: S0 - Affects critical data or functionality and leaves users without workaround.
  • Severity: S1 - Affects critical data or functionality and forces users to employ a workaround.
  • Severity: S2 - Affects non-critical data or functionality and forces users to employ a workaround.
  • Severity: S3 - Affects non-critical data or functionality and does not force users to employ a workaround.
  • Severity: S4 - Affects aesthetics, professional look and feel, “quality” or “usability”.
@m2-assistant M2 Assistant
Copy link

m2-assistant bot commented Nov 6, 2024

Hi @shrinisadagopan. Thank you for your report.
To speed up processing of this issue, make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce.

Join Magento Community Engineering Slack and ask your questions in #github channel.
⚠️ According to the Magento Contribution requirements, all issues must go through the Community Contributions Triage process. Community Contributions Triage is a public meeting.
🕙 You can find the schedule on the Magento Community Calendar page.
📞 The triage of issues happens in the queue order. If you want to speed up the delivery of your contribution, join the Community Contributions Triage session to discuss the appropriate ticket.

@github-project-automation github-project-automation bot moved this to Ready for Confirmation in Issue Confirmation and Triage Board Nov 6, 2024
@engcom-Bravo engcom-Bravo added the Reported on 2.4.6-p8 Indicates original Magento version for the Issue report. label Nov 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Issue: ready for confirmation Reported on 2.4.6-p8 Indicates original Magento version for the Issue report.
Projects
Issue Confirmation and Triage Board
Status: Ready for Confirmation
Milestone
No milestone
Development

No branches or pull requests
2 participants
@engcom-Bravo @shrinisadagopan