Description
Anton Abashkin opened SPR-13835 and commented
Most modern frameworks provide a convenience mechanism for binding form data to a domain object. Spring MVC is no exception.
While such a function is certainly indispensable, it exposes the application to the risk of a mass assignment vulnerability http://www.hpenterprisesecurity.com/vulncat/en/vulncat/java/mass_assignment_sensitive_field_exposure.html
A very serious vulnerability, this is actually how GitHub got hacked back in 2012 http://www.infoq.com/news/2012/03/GitHub-Compromised
Currently, Spring MVC does address this issue by providing two methods:
While obviously a step in the right direction, this approach is not always optimal, the reason being the developer must set this in each controller using @InitBinder. This duplicates effort and is error prone.
One alternative for the developer is to create Data Transfer Objects (DTOs). While this does indeed provide protection, as well as other architectural benefits, it is not practiced by many developers.
I believe the optimal way to address this is to do something similar to what the the Play Framework does by providing a @NoBind annotation: https://www.playframework.com/documentation/1.4.x/controllers#nobinding
public class User extends Model {
@NoBinding("profile") public boolean isAdmin;
@As("dd, MM yyyy") Date birthDate;
public String name;
}public static void editProfile(@As("profile") User user) {
// ...
}Expressing these constraints directly in the domain object using annotations seems optimal from both a development and security auditing point of view
Thoughts?
Issue Links:
- Provide support for configuring the bindable properties of a form-backing object using field-level annotations [SPR-7747] #12403 Provide support for configuring the bindable properties of a form-backing object using field-level annotations
- Ability to suppress "rejectedValue" in error responses [SPR-14771] #19337 Ability to suppress "rejectedValue" in error responses
2 votes, 5 watchers