File: src/main/java/com/cabbooking/config/SecurityConfig.java (lines 43, 64-68)
Severity: Critical
Description
The H2 database console is accessible at /h2-console/** with:
- No authentication required (
.permitAll() at line 43)
- CSRF protection disabled (line 65)
If the application is deployed with H2 enabled (which is the default via application.properties), an attacker who can reach the endpoint can execute arbitrary SQL against the in-memory database, including reading all user data, booking history, driver locations, and emergency alerts.
The H2 console should never be exposed in production. Since H2 is only intended for local development, consider:
- Removing the H2 console permit from production security config
- Using a Spring profile (
dev) to conditionally enable H2 console access
- Adding authentication to the H2 console endpoint
- Never disabling CSRF for the H2 console in production
Relevant Code
// SecurityConfig.java:43
.requestMatchers("/", "/about", "/contact", "/auth/register", "/auth/login",
"/static/**", "/css/**", "/js/**", "/images/**", "/h2-console/**").permitAll()
// SecurityConfig.java:64-68
.csrf(csrf -> csrf
.ignoringRequestMatchers("/h2-console/**", "/api/iot/**")
)
File:
src/main/java/com/cabbooking/config/SecurityConfig.java(lines 43, 64-68)Severity: Critical
Description
The H2 database console is accessible at
/h2-console/**with:.permitAll()at line 43)If the application is deployed with H2 enabled (which is the default via
application.properties), an attacker who can reach the endpoint can execute arbitrary SQL against the in-memory database, including reading all user data, booking history, driver locations, and emergency alerts.The H2 console should never be exposed in production. Since H2 is only intended for local development, consider:
dev) to conditionally enable H2 console accessRelevant Code