Potential Information Disclosure via Returned Links #64
Description
When CQL2 filter expressions are generated and applied by the STAC Auth Proxy, they may be echoed back to the user in the form of links (e.g., next, self) returned in list-view responses. These links often contain the full filter expression as query parameters.
This behavior risks leaking internal logic or privileged access rules to end users. For example, a link containing a filter such as private=false may implicitly reveal the existence of data where private=true, even if that data is not accessible to the current user. This creates an information disclosure vulnerability by revealing implementation details or access boundaries.
To prevent this, any filter expression applied by the proxy should not be reflected in the response returned to the user, unless it originated from the user's request.
Proposed Mitigation
A simple approach would be to:
- Cache the original, user-provided filter within the request context.
- Rewrite all
link.hrefURLs in the STAC response to use this cached filter, replacing any proxy-injected expressions.
This ensures transparency of user intent without leaking backend logic or security rules.