### Vulnerability Summary **Vulnerability Overview** The `/instance/detailPlus` interface in PowerJob contains two critical security flaws: 1. **Unauthorized Access**: The `getInstanceDetailPlus` method lacks the `@ApiPermission` annotation, allowing the interface to be accessed without authentication. 2. **SQL Injection**: The blacklist for the `customQuery` parameter is incomplete. It fails to filter H2 database-specific dangerous commands (such as `RUNSCRIPT`, `CALL`, `LINK`, and `SCRIPT`), enabling attackers to execute arbitrary code via these commands. **Affected Versions** PowerJob v5.1.0 ~ v5.1.2 **Remediation Plan** 1. **Enforce Authentication (Patch A)**: Add the `@ApiPermission` annotation to the `getInstanceDetailPlus` method to align it with other interfaces. 2. **Expand Blacklist (Patch B)**: Incorporate H2-specific dangerous keywords into the filtering logic for `customQuery` to block them. **Relevant Code Snippets** ```java // Patch A: Add permission annotation @PostMapping("/detailPlus") @ApiPermission(name = "Instance-DetailPlus", roleScope = RoleScope.APP, requiredPermission = Permission...) public Result getInstanceDetailVO() { getInstanceDetailPlus(...) } // Patch B: Expand blacklist StringUtils.containsAnyIgnoreCase(nonNullCustomQuery, ..., "RUNSCRIPT", "CALL", "LINK", "SCRIPT") ```