admin.rest.properties.exposed configuration is ignored, allowing Site Administrators to access sensitive configuration properties via REST API

[saschaszott]

In DSpace CRIS, the configuration setting admin.rest.properties.exposed is currently not respected by the REST API.

As a result, a user / eperson with Site Administrator privileges can retrieve all configuration properties, including highly sensitive values such as database passwords or SMTP credentials, via the REST endpoint.

This behavior represents a security issue, as sensitive configuration values are exposed through the REST API, even though they are explicitly intended to be hidden by configuration.

Steps to reproduce

1. Log in as a Site Administrator using the HAL Browser.
2. In the Explorer, request the following endpoint: /server/api/config/properties/db.password
3. The response contains the database password in plain text (see screenshot).

Root cause analysis

The issue is caused by the logic in ConfigurationRestRepository.findOne(...):

if (!configurationService.hasProperty(property) ||
    (adminRestrictedProperties.contains(property) && !isCurrentUserAdmin(context)) ||
    (!exposedProperties.contains(property) && !isCurrentUserAdmin(context))) {

Because Site Administrators are treated as privileged users (isCurrentUserAdmin(context) returns true), the check effectively allows access to all properties, even if they are not listed in admin.rest.properties.exposed.

Impact

• Sensitive configuration values (e.g. database and mail server passwords) can be accessed via REST.
• This undermines the purpose of admin.rest.properties.exposed.
• Multiple DSpace CRIS versions are likely affected, as this logic appears to be shared across versions.

Expected behavior

• Only properties explicitly listed in admin.rest.properties.exposed should be accessible via the REST API.
• Sensitive properties should never be exposed, even to Site Administrators, unless explicitly allowed.

[saschaszott]

This bug is fixed with PR #537.