The /system/dbconfig/testConnection endpoint is missing the @RequiresPermissions annotation, allowing any authenticated user to test database connections regardless of their assigned role.
All other endpoints in DbConfigController have proper permission checks:
@RequiresPermissions("system:dbconfig:list") // list
@RequiresPermissions("system:dbconfig:add") // add
@RequiresPermissions("system:dbconfig:edit") // edit
@RequiresPermissions("system:dbconfig:remove") // remove
@RequiresPermissions("system:dbconfig:export") // export
// testConnection — no permission check
@RequestMapping(value = "/testConnection", method = RequestMethod.POST)
public AjaxResult testConnection(Dbconfig dbconfig) { ... }
Impact
- Users with only basic read permissions can call
testConnection with arbitrary JDBC URLs
- This bypasses the intended role-based access control for database configuration
- Combined with JDBC URL injection, low-privilege users can trigger outbound connections to attacker-controlled servers
Affected File
|
@RequestMapping(value = "/testConnection", method = RequestMethod.POST) |
Suggested Fix
Add @RequiresPermissions("system:dbconfig:edit") to the testConnection method.
The
/system/dbconfig/testConnectionendpoint is missing the@RequiresPermissionsannotation, allowing any authenticated user to test database connections regardless of their assigned role.All other endpoints in
DbConfigControllerhave proper permission checks:Impact
testConnectionwith arbitrary JDBC URLsAffected File
dataCompare/src/main/java/com/vince/xq/project/system/dbconfig/controller/DbConfigController.java
Line 131 in d118e89
Suggested Fix
Add
@RequiresPermissions("system:dbconfig:edit")to thetestConnectionmethod.