Skip to content

[Security] Missing @RequiresPermissions on /system/dbconfig/testConnection endpoint #15

Description

@MarkLee131

The /system/dbconfig/testConnection endpoint is missing the @RequiresPermissions annotation, allowing any authenticated user to test database connections regardless of their assigned role.

All other endpoints in DbConfigController have proper permission checks:

@RequiresPermissions("system:dbconfig:list")     // list 
@RequiresPermissions("system:dbconfig:add")      // add  
@RequiresPermissions("system:dbconfig:edit")     // edit  
@RequiresPermissions("system:dbconfig:remove")   // remove 
@RequiresPermissions("system:dbconfig:export")   // export

// testConnection — no permission check
@RequestMapping(value = "/testConnection", method = RequestMethod.POST)
public AjaxResult testConnection(Dbconfig dbconfig) { ... }

Impact

  • Users with only basic read permissions can call testConnection with arbitrary JDBC URLs
  • This bypasses the intended role-based access control for database configuration
  • Combined with JDBC URL injection, low-privilege users can trigger outbound connections to attacker-controlled servers

Affected File

@RequestMapping(value = "/testConnection", method = RequestMethod.POST)

Suggested Fix

Add @RequiresPermissions("system:dbconfig:edit") to the testConnection method.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions