当前位置: 首页 > news >正文

RuoYi issue4: Unauthorized Role Assignment Deletion

news 2026/6/18 12:40:41

Vulnerability call chain

1.1 Summary

RuoYi has a missing authorization vulnerability: Unauthorized Role Assignment Deletion. 越权撤销目标用户角色,导致权限被移除。

  • Attack precondition: 拥有 system:role:edit
  • Affected authorization property: ``sys_user_role.user_id, sys_user_role.role_id
  • Security impact: 越权撤销目标用户角色,导致权限被移除。

1.2 Exploit path

POST /system/role/authUser/cancel/system/role/authUser/cancelAll,提交任意 roleId/userId(s)

1.3 Key code evidence

  1. ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysRoleController.java

Evidence location: https://github.com/yangzongzhuan/RuoYi/blob/master/ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysRoleController.java#L262

  259      @Log(title = "角色管理", businessType = BusinessType.GRANT)260      @PostMapping("/authUser/cancel")261      @ResponseBody262      public AjaxResult cancelAuthUser(SysUserRole userRole)263      {264          return toAjax(roleService.deleteAuthUser(userRole));265      }266  267      /**268       * 批量取消授权269       */270      @RequiresPermissions("system:role:edit")271      @Log(title = "角色管理", businessType = BusinessType.GRANT)272      @PostMapping("/authUser/cancelAll")273      @ResponseBody274      public AjaxResult cancelAuthUserAll(Long roleId, String userIds)275      {276          return toAjax(roleService.deleteAuthUsers(roleId, userIds));277      }278  279      /**280       * 选择用户281       */282      @RequiresPermissions("system:role:list")283      @GetMapping("/authUser/selectUser/{roleId}")
  1. ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysRoleServiceImpl.java

Evidence location: https://github.com/yangzongzhuan/RuoYi/blob/master/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysRoleServiceImpl.java#L377

  374      {375          return roleMapper.updateRole(role);376      }377  378      /**379       * 取消授权用户角色380       * 381       * @param userRole 用户和角色关联信息382       * @return 结果383       */384      @Override385      public int deleteAuthUser(SysUserRole userRole)386      {387          return userRoleMapper.deleteUserRoleInfo(userRole);388      }389  390      /**391       * 批量取消授权用户角色392       * 393       * @param roleId 角色ID394       * @param userIds 需要删除的用户数据ID395       * @return 结果
  1. ruoyi-system/target/classes/mapper/system/SysUserRoleMapper.xml

Evidence location: https://github.com/yangzongzhuan/RuoYi/blob/master/ruoyi-system/target/classes/mapper/system/SysUserRoleMapper.xml#L38

   35  		</foreach>36  	</insert>37  	38  	<delete id="deleteUserRoleInfo" parameterType="SysUserRole">39  		delete from sys_user_role where user_id=#{userId} and role_id=#{roleId}40  	</delete>41  	42  	<delete id="deleteUserRoleInfos">43  	    delete from sys_user_role where role_id=#{roleId} and user_id in44   	    <foreach collection="userIds" item="userId" open="(" separator="," close=")">45   	        #{userId}46              </foreach> 47  	</delete>48  </mapper>
  1. roleService.c

Evidence location: https://github.com/yangzongzhuan/RuoYi/blob/master/roleService.c
5. userService.c

Evidence location: https://github.com/yangzongzhuan/RuoYi/blob/master/userService.c

3. Root Cause Analysis

Root Cause 1: Missing server-side authorization on the vulnerable operation.

The endpoint accepts user-controlled authorization-sensitive identifiers or fields, but the write/read path does not prove that the current caller may operate on the target object.

Root Cause 2: Missing object-scope or grant-bound validation.

The implementation relies on endpoint access, UI filtering, or object existence checks instead of enforcing target ownership, tenant boundary, role ceiling, or grantable-resource constraints at the service layer.

删除前调用 roleService.checkRoleDataScope(roleId) 和每个 userService.checkUserDataScope(userId);操作后清理授权缓存。

5. Verification after fix

  • Unauthorized callers receive HTTP 403 or equivalent rejection.
  • Out-of-scope target identifiers are rejected before database writes or sensitive reads.
  • Role, permission, tenant, organization, ownership, or grant-bound ceilings are enforced server-side.
  • Direct HTTP requests are rejected even when front-end controls are hidden.
http://www.jsqmd.com/news/1035824/

相关文章:

  • 2026陕西焊缝探伤检测权威机构排行 TOP 本地高频选择,无损检测 + UT+RT+PT 检测 附电话地址 - 中安检测集团
  • MonkeyCode开源版API调试工具:在云IDE里直接测试接口(免费,替代Postman)
  • 全栈应用的状态同步:从前后端割裂到实时一致,分布式数据的协调方案
  • 2026 年人来灯亮智能开关推荐:优智者感应灵敏 - 思溯深度专栏
  • 2026 亨得利辟谣维权完整版:全网仿冒售后电话曝光 + 原厂维保收费标准对照(建议保存) - 亨得利官方维修中心
  • 2026年 道路沥青路面/彩色沥青道路/沥青混凝土厂家推荐榜单:覆盖小区、园区、停车场与厂房地坪混凝土的优质品牌解析 - 品牌发掘
  • Loop:Agent发展的第四个Engineering已经来了
  • 2026内江焊缝探伤检测权威机构排行 TOP 本地高频选择,无损检测 + UT+RT+PT 检测 附电话地址 - 中安检测集团
  • 2026杭州黄金回收实测:拱墅上城萧山余杭钱塘全覆盖,免费上门验金,让闲置金饰安稳变现 - 百福黄金回收
  • 喜马拉雅VIP音频本地化深度解析:Go+Qt5跨平台下载器实战指南
  • LangGraph重试机制:3步解决AI工作流中的失败问题
  • 用过才敢说!2026年最值得用的专业AI论文平台
  • WinBtrfs驱动深度解析:让Windows原生支持Btrfs文件系统的完整方案
  • 2026汕头焊缝探伤检测权威机构排行 TOP 本地高频选择,无损检测 + UT+RT+PT 检测 附电话地址 - 中安检测集团
  • RuoYi issue5: Department Hierarchy Rebinding
  • 2026年6月知识产权商标注册公司推荐:TOP5实力榜专业评测市场份额案例 - 品牌推荐
  • hu
  • 2026黔南焊缝探伤检测权威机构排行 TOP 本地高频选择,无损检测 + UT+RT+PT 检测 附电话地址 - 中安检测集团
  • 2026随州焊缝探伤检测权威机构排行 TOP 本地高频选择,无损检测 + UT+RT+PT 检测 附电话地址 - 中安检测集团
  • 基于MOBI文件解析的Kindle封面元数据修复技术
  • Hermes Agent Skill Runtime 架构拆解:让 AI Agent 不再从零开始
  • 2026上海焊缝探伤检测权威机构排行 TOP 本地高频选择,无损检测 + UT+RT+PT 检测 附电话地址 - 中安检测集团
  • 解锁米哈游游戏字体:HoYo-Glyphs开源字体库创意应用全攻略
  • 拉萨市空调维修/中央空调维修|本地避坑指南,满分五星平台|欧米到家首选 - 欧米到家
  • 终极免费浏览器AI图像标注工具:make-sense.ai完全指南
  • 2026内蒙古焊缝探伤检测权威机构排行 TOP 本地高频选择,无损检测 + UT+RT+PT 检测 附电话地址 - 中安检测集团
  • 2026柳州焊缝探伤检测权威机构排行 TOP 本地高频选择,无损检测 + UT+RT+PT 检测 附电话地址 - 中安检测集团
  • Zotero Actions Tags:终极智能文献自动化管理指南
  • 2026上饶焊缝探伤检测权威机构排行 TOP 本地高频选择,无损检测 + UT+RT+PT 检测 附电话地址 - 中安检测集团
  • 授权委托书公证办理周期大概多久?授权委托书公证不用本人到场能操作吗?