Skip to content

fix: fix tag export/import routes bypassing JWT auth (CWE-306)#162

Open
saaa99999999 wants to merge 1 commit into
eddycjy:masterfrom
saaa99999999:fix/auth-bypass-tag-routes
Open

fix: fix tag export/import routes bypassing JWT auth (CWE-306)#162
saaa99999999 wants to merge 1 commit into
eddycjy:masterfrom
saaa99999999:fix/auth-bypass-tag-routes

Conversation

@saaa99999999

Copy link
Copy Markdown

Summary

routers/router.go 中标签导出/导入路由使用 r.POST() 而非 apiv1.POST(),导致这两个端点绕过 JWT 认证,无需 token 即可访问。

Root Cause

apiv1 := r.Group("/api/v1")
apiv1.Use(jwt.JWT())
{
    ...
    r.POST("/tags/export", v1.ExportTag)  // BUG: r. not apiv1.
    r.POST("/tags/import", v1.ImportTag)  // BUG: r. not apiv1.
}

r.POST() 将路由注册到根 Engine,跳过 apiv1 的 JWT 中间件。同时 Swagger 注释已标注为 @router /api/v1/tags/export,说明原意应属于 /api/v1 组。

Fix

r.POST → apiv1.POST,路由现在受 JWT 中间件保护,且路径前缀为 /api/v1:

  • /tags/export → /api/v1/tags/export
  • /tags/import → /api/v1/tags/import

Impact

  • CWE-306: Missing Authentication for Critical Function
  • 未认证攻击者可导出所有标签数据(.xlsx)或上传恶意 Excel 文件
  • CVSS 3.1: 5.3

Tag export and import routes used r.POST() instead of apiv1.POST(),
placing them outside the JWT-protected /api/v1 group. Fix by using
apiv1.POST() to enforce authentication on these endpoints.
@saaa99999999

Copy link
Copy Markdown
Author

Hi maintainer, this PR fixes CWE-306 (Missing Authentication for Critical Function) — tag export/import routes were registered with r.POST() instead of apiv1.POST(), bypassing JWT authentication. The Swagger annotations already expected /api/v1 prefix, confirming the bug. Could you please review? Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant