Select filter broke and fetched all data from DB

[jerriclynsjohn]

Bug description

While the user was trying to fetch data that they created using https://tier-vercel-openai.vercel.app/ (Repo), they were able to see data from all users in the DB from the table requested.

Bug reported by the user, shows a video where all data from the table is fetched.

Code used to fetch

const res = await db.content.findMany({
    where: {
      userId: user?.id,
    },
    orderBy: {
      generatedAt: "desc",
    },
  });

You can see the snippet here

How to reproduce

We were not able to reproduce the error at all, this was a one time thing which was recorded by our user as shown above.

Repro steps provided by customer.

1. Go to https://tier-vercel-openai.vercel.app/
2. Generate a copy content
3. Go to history
4. Be idle and let your computer go to sleep
5. When awake it should fetch all data from DB

Expected behavior

It should only fetch data which satisfies the filter, or this will lead to massive data leak.

Prisma information

// This is your Prisma schema file,
// learn more about it in the docs: https://pris.ly/d/prisma-schema

generator client {
  provider = "prisma-client-js"
}

datasource db {
  provider          = "postgresql"
  url               = env("POSTGRES_PRISMA_URL") // uses connection pooling
  directUrl         = env("POSTGRES_URL_NON_POOLING") // uses a direct connection
}

model Account {
  id                String   @id @default(cuid())
  userId            String
  type              String
  provider          String
  providerAccountId String
  refresh_token     String?  @db.Text
  access_token      String?  @db.Text
  expires_at        Int?
  token_type        String?
  scope             String?
  id_token          String?  @db.Text
  session_state     String?
  createdAt         DateTime @default(now()) @map(name: "created_at")
  updatedAt         DateTime @default(now()) @map(name: "updated_at")

  user User @relation(fields: [userId], references: [id], onDelete: Cascade)

  @@unique([provider, providerAccountId])
  @@index([userId])
  @@map(name: "accounts")
}

model Session {
  id           String   @id @default(cuid())
  sessionToken String   @unique
  userId       String
  expires      DateTime
  user         User     @relation(fields: [userId], references: [id], onDelete: Cascade)

  @@index([userId])
  @@map(name: "sessions")
}

model User {
  id            String    @id @default(cuid())
  name          String?
  email         String?   @unique
  emailVerified DateTime?
  image         String?
  createdAt     DateTime  @default(now()) @map(name: "created_at")
  updatedAt     DateTime  @default(now()) @map(name: "updated_at")

  accounts Account[]
  sessions Session[]
  contents Content[]

  @@map(name: "users")
}

model VerificationToken {
  identifier String
  token      String   @unique
  expires    DateTime

  @@unique([identifier, token])
  @@map(name: "verification_tokens")
}

model Content {
  id               String   @id @default(cuid())
  prompt           String
  generatedContent String?  @db.Text
  generatedAt      DateTime @default(now()) @map(name: "generated_at")
  userId           String
  user             User     @relation(fields: [userId], references: [id], onDelete: Cascade)

  @@index([userId])
  @@map(name: "posts")
}

const res = await db.content.findMany({
    where: {
      userId: user?.id,
    },
    orderBy: {
      generatedAt: "desc",
    },
  });

Environment & setup

• OS: Mac OS 10.15.7
• Browser: Firefox

We do not have other details from our customer.

Prisma Version

4.16.1

[Jolg42]

@jerriclynsjohn I think this might be related to the fact that your where input, user?.id might be undefined.
If it is undefined then it is expected that it will be ignored and fetch all data.

This is how Prisma is currently designed to work, see docs https://www.prisma.io/docs/concepts/components/prisma-client/null-and-undefined
We know this can be dangerous, but it has been like this for quite some while, and switching would also have other deficits.

See related issues
#20169
#8231

[jerriclynsjohn]

I get how this is the status quo of Prisma, but don't you think ideally if we are using the where statement and if the input is undefined the whole statement should throw an error

Now that Prisma has moved on from the GraphQL abstraction can't we make queries more strict, or at least have an option to enforce strictness. Because this leads to crazy data leak.

[sreuter]

@jerriclynsjohn You can remove the question mark behind user, which will make the whole thing throw should user not be defined. That be said, a cleaner way would be to ensure user.id is defined before passing it to your prisma or instead throw an error yourself.