Internal data leaking to the client browser using the Edit form

[wq9578]

Package

filament/filament

Package Version

v3.2.34

Laravel Version

v10.44.0

Livewire Version

v3.4.4

PHP Version

PHP 8.3.1

Problem description

Internal data leaking to the client browser using the Edit form, for example JSON like the following:

record:Array[2]
    0:null
    1:Object
	class:"App\Models\Flight"
	key:25
	s:"mdl"

Biggest problem:

1. Exposing the auto-incremented ID is what should not happen.
   The int primary key (in this example 25) should not be used, but instead the uuid field used for the routes also:

    public function getRouteKeyName(): string
    {
        return 'uuid';
    }

Internally the incrementing primary key remains, but externally only the UUID should be used, as, for example, discussed in "Utilizing UUID as a Secondary Key in Laravel".
Example route (with multi-tenancy): http://127.0.0.1:8000/testpanel/123456789/flights/06f11502-5c99-43ef-9332-4943d380507c/edit

Smaller issue:
2. The class "App\Models\Flight" is exposed.

Expected behavior

1. Only the UUID (the field specified in getRouteKeyName()) should be transmitted to the browser, not the primary key.
2. Some obfuscation should be used instead of the class name, for example its SHA-256 hash.

Steps to reproduce

1. Run in terminal: git clone https://github.com/wq9578/filament-issue-data-leakage.git
2. Run in terminal: cd filament-issue-data-leakage/filament-issue/ && composer install && php artisan serve
3. Open website at http://127.0.0.1:8000 and click: Sign In > Flights > Edit [single row]
4. View page source and search for: Models\

Current URL maintains privacy by exposing the UUID only (e.g., http://127.0.0.1:8000/admin/flights/e7b25d4e-def8-4c1d-a5dc-71773ae6face/edit), but within the JSON data the model class (App\Models\Flight) and internal primary key (1) are transmitted.

Pretty JSON:

record:Array[2]
    0:null
    1:Object
	class:"App\Models\Flight"
	key:1
	s:"mdl"

Raw HTML: {"class":"App\\Models\\Flight","key":1,"s":"mdl"}

Reproduction repository

https://github.com/wq9578/filament-issue-data-leakage

Relevant log output

No response

[github-actions]

Hey @wq9578! We're sorry to hear that you've hit this issue. 💛

However, it looks like you forgot to fill in the reproduction repository URL. Can you edit your original post and then we'll look at your issue?

We need a public GitHub repository which contains a Laravel app with the minimal amount of Filament code to reproduce the problem. Please do not link to your actual project, what we need instead is a minimal reproduction in a fresh project without any unnecessary code. This means it doesn't matter if your real project is private / confidential, since we want a link to a separate, isolated reproduction. That would allow us to download it and review your bug much easier, so it can be fixed quicker. Please make sure to include a database seeder with everything we need to set the app up quickly.

[github-actions]

Thank you for providing reproduction steps! Reopening the issue now.

[danharrin]

Filament uses Livewire to persist the model. This is Livewire behaviour.

I don't know about the key obfuscation, you should probably report it to Livewire if you expect different behaviour. For the class name, I think you can hide it if you define a morph map entry for that model?

[wq9578]

Thanks a lot!

Filament uses Livewire to persist the model. This is Livewire behaviour.

I don't know about the key obfuscation, you should probably report it to Livewire if you expect different behaviour.

Reported to Livewire here: livewire/livewire#8141

For the class name, I think you can hide it if you define a morph map entry for that model?

It worked following the instructions at https://laravel.com/docs/11.x/eloquent-relationships#custom-polymorphic-types:

You may call the enforceMorphMap method in the boot method of your App\Providers\AppServiceProvider class or create a separate service provider if you wish.