UserFormResultController.exportFormData Interface Has Horizontal Privilege Escalation (IDOR) Risk, Allowing Export of Arbitrary Form Data

[Leeziao]

The form data export interface exportFormData lacks validation of the operator's permissions. An attacker can modify the formKey parameter in the request to export form data created by other users without authorization, leading to the leakage of sensitive information.

Vulnerability Location

• Entry Point: tduck-platform/tduck-api/src/main/java/com/tduck/cloud/api/web/controller/UserFormResultController.java
• Logic: tduck-platform/tduck-form/src/main/java/com/tduck/cloud/form/util/FormDataExportUtils.java

Vulnerability Analysis

In the FormDataExportUtils.exportData method, the code directly uses exportRequest.getFormKey() from the frontend as a query condition. However, the backend logic does not verify whether the currently logged-in user owns or has access permissions for that formKey.

Code snippet:

// FormDataExportUtils.java
public void exportData(ExportRequest.FormData exportRequest) {
    // The passed-in formKey is directly trusted without authorization checks
    QueryFormResultRequest queryFormResultRequest = new QueryFormResultRequest();
    queryFormResultRequest.setFormKey(exportRequest.getFormKey()); 
    // ... Subsequent steps directly query and export data to Excel/CSV
}