Fix isFilterable bypass via cursor parameter in findMany

The cursor parameter in findMany accepted uniqueWhere inputs without
validating them against isFilterable access controls. This allowed
users to bypass dynamic isFilterable functions by using cursor instead
of where to probe for records by protected field values.

Add checkFilterOrderAccess validation for cursor fields, matching the
existing validation for where fields. Add tests for cursor-based
filtering with both allowed and denied isFilterable configurations.

---------

Co-authored-by: velocityx034-spec <velocityx034@gmail.com>
Co-authored-by: Emma Hamilton <git@emmas.town>

Author: 3 people

.changeset/young-mangos-go.md

@@ -0,0 +1,5 @@
+---
+"@keystone-6/core": patch
+---
+
+Fix `isFilterable` bypass via `cursor` parameter in `findMany` query

packages/core/src/lib/core/queries/resolvers.ts

@@ -137,6 +137,11 @@ export async function findMany(
   // check filter access (TODO: why isn't this using resolvedWhere)
   await checkFilterOrderAccess([...traverse(list, where)], context, 'filter')
 
+  // check filter access for cursor
+  if (cursor) {
+    await checkFilterOrderAccess([...traverse(list, cursor)], context, 'filter')
+  }
+
   // WARNING: this checks .isOrderable
   const orderBy = await resolveOrderBy(rawOrderBy, list, context)
 

tests/api-tests/queries/filters.test.ts

@@ -22,6 +22,7 @@ const runner = setupTestRunner({
           many_many_many_dashes: text(),
           multi____dash: text({ isFilterable: true }),
           email: text({ isIndexed: 'unique', isFilterable: true, db: { isNullable: true } }),
+          uniqueButNotFilterable: text({ isIndexed: 'unique', isFilterable: () => false, db: { isNullable: true } }),
 
           filterFalse: integer({ isFilterable: false }),
           filterTrue: integer({ isFilterable: true }),
@@ -392,6 +393,42 @@ describe('isFilterable', () => {
   )
 })
 
+describe('isFilterable with cursor', () => {
+  test(
+    'cursor with isFilterable: () => false is denied',
+    runner(async ({ context }) => {
+      await context.query.User.createOne({
+        data: { uniqueButNotFilterable: 'secret-value' },
+      })
+      const { data, errors } = await context.graphql.raw({
+        query: '{ users(cursor: { uniqueButNotFilterable: "secret-value" }, take: 1) { id } }',
+      })
+      // cursor should be checked against isFilterable the same as where
+      expect(data).toEqual({ users: null })
+      expectFilterDenied(errors, [
+        {
+          path: ['users'],
+          message: 'Access denied: You cannot filter by User.uniqueButNotFilterable',
+        },
+      ])
+    })
+  )
+
+  test(
+    'cursor with isFilterable: true is allowed',
+    runner(async ({ context }) => {
+      const item = await context.query.User.createOne({
+        data: { email: 'cursor-allowed@example.com' },
+      })
+      const { data, errors } = await context.graphql.raw({
+        query: '{ users(cursor: { email: "cursor-allowed@example.com" }, take: 1) { id } }',
+      })
+      expect(errors).toBe(undefined)
+      expect(data).toEqual({ users: [{ id: item.id }] })
+    })
+  )
+})
+
 describe('defaultIsFilterable', () => {
   test(
     'defaultIsFilterable: undefined',