What is the solution for Mass Assignment: Insecure

2019-05-22 15:16发布

站内问答 / Java
1649 1 4

I have this Controller in Java:

@Controller
public class AuthenticationController extends AbstractController {

  @RequestMapping(value = Constantes.MAPPING_AUTH_BASE_ASP, method = { RequestMethod.POST })
  public String authenticate(@Valid ComunicationWithAspRequest comunicationWithAspRequest, BindingResult result,
      RedirectAttributes redirectAttributes, HttpSession sesion) throws Exception {
    ...
    ...
    ...
  }
}

When I scan my code in Fortify, the object comunicationWithAspRequest causes the Mass Assignment: Insecure Binder Configuration Vulnerability. Is possible to control which HTTP request parameters will be used in the binding process and which ones will be ignored?

标签: java fortify
举报
1条回答
贪生不怕死
2楼-- · 2019-05-22 15:44

You may refer to the problem Prevent mass assignment in Spring MVC with Roo.

In your case, you can use @InitBinder provided by Spring MVC. @InitBinder would specify the white list for json and bean mapping.

In my experience, I used @RequestBody for auto-binding. I need to add @JsonIgnore to specify the property that would not include for the mapping.

SimpleController.java

@RequestMapping(value="/simple")
public String simple(@Valid @RequestBody User user){
   simpleService.doSomething();
}

User.java

public class User{
   private String name;

   @JsonIgnore
   private String dummy;

   public void getName(){return name;}
   public void setName(name){this.name = name;}
   public void getDummy(){return dummy;}
   public void setDummy(dummy){this.dummy= dummy;}

}
查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)