Security: Unauthenticated access to system tables (Access/Function/Script/Request) exposes permission configs and script code

[icysun]

Summary

APIJSON's default @MethodAccess configuration allows unauthenticated (UNKNOWN role) GET/HEAD requests to system tables including Access, Function, Script, and Request. This exposes the complete permission configuration, remote function definitions, and potentially business logic script code to any network-reachable attacker.

Impact

CVSS 5.3 (Medium) — Information disclosure of permission configs, function signatures, and script code without authentication.

Details

System tables with default @MethodAccess

// APIJSONORM/src/main/java/apijson/orm/model/Access.java:13
@MethodAccess(POST = {}, PUT = {}, DELETE = {})
public class Access {}

// Similar for Function.java, Script.java, Request.java

@MethodAccess(POST = {}, PUT = {}, DELETE = {}) means GET and HEAD requests are not restricted — they default to allowing all roles including UNKNOWN (unauthenticated).

What gets exposed:

Table	Data Exposed
Access	Complete permission config (which tables/operations for which roles)
Function	Remote function method signatures and configurations
Script	Business logic script code (if Script feature is used)
Request	Request validation logic including JavaScript/Groovy scripts

Attack:

GET /get/Access      → Permission configuration for all tables
GET /get/Function    → Remote function definitions
GET /get/Script      → Script code
GET /get/Request     → Request validation structures (may contain JS/Groovy code)

No authentication required.

Additional Findings

1. SQL Injection when prepared=false

When prepared = false (set by AbstractParser.java:1107 in certain code paths), multiple user inputs bypass SQL validation:

• @having — expressions without () directly concatenated
• @order — column names not validated
• key{} — range conditions not checked against PATTERN_RANGE
• @column — function parameters not checked for -- or _ prefix

While prepared=true is the default, the security model is fragile — a single setPrepared(false) call exposes all injection surfaces.

2. Remote Function/Script Execution Default Enabled

public static boolean ENABLE_REMOTE_FUNCTION = true;
public static boolean ENABLE_SCRIPT_FUNCTION = true;

Combined with the information disclosure above, an attacker can enumerate all configured functions and scripts, then look for exploitable configurations.

Suggested Fix

1. Restrict system table access to authenticated users:

@MethodAccess(GET = {}, HEAD = {}, POST = {}, PUT = {}, DELETE = {})
public class Access {}

2. Add deny-by-default for system tables in the framework's request handler
3. Consider making security independent of the prepared flag — SQL validation should always apply

References

• CWE-200: Exposure of Sensitive Information
• CWE-862: Missing Authorization

Discoverer

IcySun (icysun@qq.com)