[Security] Missing @RequiresPermissions on /system/dbconfig/testConnection endpoint

The `/system/dbconfig/testConnection` endpoint is missing the `@RequiresPermissions` annotation, allowing any authenticated user to test database connections regardless of their assigned role.

All other endpoints in `DbConfigController` have proper permission checks:

```java
@RequiresPermissions("system:dbconfig:list")     // list 
@RequiresPermissions("system:dbconfig:add")      // add  
@RequiresPermissions("system:dbconfig:edit")     // edit  
@RequiresPermissions("system:dbconfig:remove")   // remove 
@RequiresPermissions("system:dbconfig:export")   // export

// testConnection — no permission check
@RequestMapping(value = "/testConnection", method = RequestMethod.POST)
public AjaxResult testConnection(Dbconfig dbconfig) { ... }
```

## Impact

- Users with only basic read permissions can call `testConnection` with arbitrary JDBC URLs
- This bypasses the intended role-based access control for database configuration
- Combined with JDBC URL injection, low-privilege users can trigger outbound connections to attacker-controlled servers

## Affected File

https://github.com/dromara/dataCompare/blob/d118e89272f53071ae45ca99ce8e2dddaf836925/src/main/java/com/vince/xq/project/system/dbconfig/controller/DbConfigController.java#L131

## Suggested Fix

Add `@RequiresPermissions("system:dbconfig:edit")` to the `testConnection` method.


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Security] Missing @RequiresPermissions on /system/dbconfig/testConnection endpoint #15

Impact

Affected File

Suggested Fix

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[Security] Missing @RequiresPermissions on /system/dbconfig/testConnection endpoint #15

Description

Impact

Affected File

Suggested Fix

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions