Summary
The GET /api/v1/ddns and GET /api/v1/notification endpoints return full resource objects including plaintext third-party API credentials — Cloudflare API tokens, TencentCloud SecretKeys, Slack/Discord/Telegram webhook URLs with embedded bot tokens, and Authorization header values — without any field-level redaction. Any authenticated admin who calls these endpoints receives every stored credential in the system in a single API response. A compromised admin session or leaked PAT with nezha:ddns:read or nezha:notification:read scope exposes all third-party integration secrets.
Details
The listDDNS and listNotification handlers follow an identical pattern: they call the corresponding singleton GetSortedList(), copier.Copy the full in-memory structs into a response slice, and return them via listHandler with zero field stripping.
DDNS — cmd/dashboard/controller/ddns.go:25–33:
func listDDNS(c *gin.Context) ([]*model.DDNSProfile, error) {
var ddnsProfiles []*model.DDNSProfile
list := singleton.DDNSShared.GetSortedList()
if err := copier.Copy(&ddnsProfiles, &list); err != nil {
return nil, err
}
return ddnsProfiles, nil
}
The DDNSProfile struct (model/ddns.go:20–36) serializes AccessSecret with json:"access_secret,omitempty" — non-empty Cloudflare tokens and TencentCloud SecretKeys are returned in cleartext. The WebhookURL and WebhookHeaders fields may also contain embedded secrets.
Notification — cmd/dashboard/controller/notification.go:25–33:
func listNotification(c *gin.Context) ([]*model.Notification, error) {
slist := singleton.NotificationShared.GetSortedList()
var notifications []*model.Notification
if err := copier.Copy(¬ifications, &slist); err != nil {
return nil, err
}
return notifications, nil
}
The Notification struct (model/notification.go:34–44) serializes URL, RequestHeader, and RequestBody — all of which commonly contain embedded bot tokens (Slack, Discord, Telegram), API keys in Authorization headers, and webhook secrets.
Route and authorization (cmd/dashboard/controller/controller.go:155, 171):
auth.GET("/notification", restScopeMiddleware(model.ScopeNotificationRead), listHandler(listNotification))
auth.GET("/ddns", restScopeMiddleware(model.ScopeDDNSRead), listHandler(listDDNS))
Both routes are behind authMw (JWT or PAT) and the corresponding read scope. The listHandler → filter chain uses HasPermission (model/common.go:63–82) which grants admins access to ALL profiles and restricts members to their own. No separate response struct or field masking exists anywhere in the codebase — confirmed by exhaustive search for DDNSResponse, DDNSView, NotificationResponse, NotificationView, or any JSON middleware that strips sensitive fields.
The codebase already demonstrates awareness of this pattern: serverConfigSensitiveScope() in cmd/dashboard/controller/api_token_scope.go:117 was introduced to restrict client_secret exposure via GET /server/config/:id, tightening the scope from ScopeServerRead to ScopeServerWrite. No equivalent protection exists for the DDNS or Notification list endpoints.
Tested at commit 3d74cd94 (master, post v2.2.3). The vulnerable pattern has existed since the DDNS and notification list endpoints were introduced.
PoC
-
Deploy nezha with at least one admin user. Configure a DDNS profile with a Cloudflare API token (AccessSecret) and a Notification webhook pointing to a Slack incoming webhook URL (https://hooks.slack.com/services/T.../B.../xxx...).
-
Authenticate as the admin user. Call:
# DDNS credentials exposed
curl -s -H "Authorization: Bearer <admin_jwt>" \
https://dashboard.example.com/api/v1/ddns \
| jq '.data[].access_secret'
# Notification webhook secrets exposed
curl -s -H "Authorization: Bearer <admin_jwt>" \
https://dashboard.example.com/api/v1/notification \
| jq '.data[].url'
-
Observe the full Cloudflare API token, Slack webhook URL with embedded token, and any RequestHeader values (e.g., Authorization: Bearer ...) returned in cleartext.
-
Alternatively, create a PAT with nezha:ddns:read scope:
curl -s -H "Authorization: Bearer nzp_<pat_secret>" \
https://dashboard.example.com/api/v1/ddns \
| jq '.data[].access_secret'
If the PAT creator is an admin, all DDNS secrets are returned in a single response.
-
Negative control: A member (non-admin) calling the same endpoints only sees their own profiles due to the HasPermission filter (model/common.go:63–82). However, an admin sees ALL profiles with ALL secrets. The security boundary crossed is the credential confidentiality boundary — a read-only listing endpoint should not return write-capable credentials.
Impact
An attacker who compromises an admin session or obtains a PAT with the appropriate read scope can exfiltrate all third-party API credentials stored in the dashboard — Cloudflare API tokens, TencentCloud SecretKeys, Slack/Discord/Telegram bot tokens, and any secrets embedded in webhook URLs or Authorization headers. These credentials can then be used to:
- Modify DNS records for any domain managed via Cloudflare/TencentCloud DDNS profiles
- Send messages as the Slack/Discord/Telegram bot to any configured channel
- Access any other API the compromised credentials grant access to
The attack requires high privileges (admin JWT or PAT with appropriate scope), but the impact is amplified because a single API call exposes ALL stored credentials across ALL DDNS profiles and ALL notification webhooks, with no field-level access control separating metadata from secrets.
Suggested remediation: Introduce separate response structs (e.g., DDNSProfileResponse, NotificationResponse) that omit sensitive fields (AccessSecret, WebhookHeaders, URL, RequestHeader) from list/read endpoints, or use json:"-" tags on sensitive fields and provide them only through a dedicated credential-retrieval endpoint with stricter authorization (analogous to the existing serverConfigSensitiveScope() pattern).
References
Summary
The
GET /api/v1/ddnsandGET /api/v1/notificationendpoints return full resource objects including plaintext third-party API credentials — Cloudflare API tokens, TencentCloud SecretKeys, Slack/Discord/Telegram webhook URLs with embedded bot tokens, and Authorization header values — without any field-level redaction. Any authenticated admin who calls these endpoints receives every stored credential in the system in a single API response. A compromised admin session or leaked PAT withnezha:ddns:readornezha:notification:readscope exposes all third-party integration secrets.Details
The
listDDNSandlistNotificationhandlers follow an identical pattern: they call the corresponding singletonGetSortedList(),copier.Copythe full in-memory structs into a response slice, and return them vialistHandlerwith zero field stripping.DDNS —
cmd/dashboard/controller/ddns.go:25–33:The
DDNSProfilestruct (model/ddns.go:20–36) serializesAccessSecretwithjson:"access_secret,omitempty"— non-empty Cloudflare tokens and TencentCloud SecretKeys are returned in cleartext. TheWebhookURLandWebhookHeadersfields may also contain embedded secrets.Notification —
cmd/dashboard/controller/notification.go:25–33:The
Notificationstruct (model/notification.go:34–44) serializesURL,RequestHeader, andRequestBody— all of which commonly contain embedded bot tokens (Slack, Discord, Telegram), API keys in Authorization headers, and webhook secrets.Route and authorization (
cmd/dashboard/controller/controller.go:155, 171):Both routes are behind
authMw(JWT or PAT) and the corresponding read scope. ThelistHandler→filterchain usesHasPermission(model/common.go:63–82) which grants admins access to ALL profiles and restricts members to their own. No separate response struct or field masking exists anywhere in the codebase — confirmed by exhaustive search forDDNSResponse,DDNSView,NotificationResponse,NotificationView, or any JSON middleware that strips sensitive fields.The codebase already demonstrates awareness of this pattern:
serverConfigSensitiveScope()incmd/dashboard/controller/api_token_scope.go:117was introduced to restrictclient_secretexposure viaGET /server/config/:id, tightening the scope fromScopeServerReadtoScopeServerWrite. No equivalent protection exists for the DDNS or Notification list endpoints.Tested at commit
3d74cd94(master, post v2.2.3). The vulnerable pattern has existed since the DDNS and notification list endpoints were introduced.PoC
Deploy nezha with at least one admin user. Configure a DDNS profile with a Cloudflare API token (AccessSecret) and a Notification webhook pointing to a Slack incoming webhook URL (
https://hooks.slack.com/services/T.../B.../xxx...).Authenticate as the admin user. Call:
Observe the full Cloudflare API token, Slack webhook URL with embedded token, and any
RequestHeadervalues (e.g.,Authorization: Bearer ...) returned in cleartext.Alternatively, create a PAT with
nezha:ddns:readscope:If the PAT creator is an admin, all DDNS secrets are returned in a single response.
Negative control: A member (non-admin) calling the same endpoints only sees their own profiles due to the
HasPermissionfilter (model/common.go:63–82). However, an admin sees ALL profiles with ALL secrets. The security boundary crossed is the credential confidentiality boundary — a read-only listing endpoint should not return write-capable credentials.Impact
An attacker who compromises an admin session or obtains a PAT with the appropriate read scope can exfiltrate all third-party API credentials stored in the dashboard — Cloudflare API tokens, TencentCloud SecretKeys, Slack/Discord/Telegram bot tokens, and any secrets embedded in webhook URLs or Authorization headers. These credentials can then be used to:
The attack requires high privileges (admin JWT or PAT with appropriate scope), but the impact is amplified because a single API call exposes ALL stored credentials across ALL DDNS profiles and ALL notification webhooks, with no field-level access control separating metadata from secrets.
Suggested remediation: Introduce separate response structs (e.g.,
DDNSProfileResponse,NotificationResponse) that omit sensitive fields (AccessSecret,WebhookHeaders,URL,RequestHeader) from list/read endpoints, or usejson:"-"tags on sensitive fields and provide them only through a dedicated credential-retrieval endpoint with stricter authorization (analogous to the existingserverConfigSensitiveScope()pattern).References