admin.rest.properties.exposed configuration is ignored, allowing Site Administrators to access sensitive configuration properties via REST API #536
Description
In DSpace CRIS, the configuration setting admin.rest.properties.exposed is currently not respected by the REST API.
As a result, a user / eperson with Site Administrator privileges can retrieve all configuration properties, including highly sensitive values such as database passwords or SMTP credentials, via the REST endpoint.
This behavior represents a security issue, as sensitive configuration values are exposed through the REST API, even though they are explicitly intended to be hidden by configuration.
Steps to reproduce
- Log in as a Site Administrator using the HAL Browser.
- In the Explorer, request the following endpoint: /server/api/config/properties/db.password
- The response contains the database password in plain text (see screenshot).
Root cause analysis
The issue is caused by the logic in ConfigurationRestRepository.findOne(...):
if (!configurationService.hasProperty(property) ||
(adminRestrictedProperties.contains(property) && !isCurrentUserAdmin(context)) ||
(!exposedProperties.contains(property) && !isCurrentUserAdmin(context))) {Because Site Administrators are treated as privileged users (isCurrentUserAdmin(context) returns true), the check effectively allows access to all properties, even if they are not listed in admin.rest.properties.exposed.
Impact
- Sensitive configuration values (e.g. database and mail server passwords) can be accessed via REST.
- This undermines the purpose of
admin.rest.properties.exposed. - Multiple DSpace CRIS versions are likely affected, as this logic appears to be shared across versions.
Expected behavior
- Only properties explicitly listed in
admin.rest.properties.exposedshould be accessible via the REST API. - Sensitive properties should never be exposed, even to Site Administrators, unless explicitly allowed.