Anton Abashkin opened SPR-13835 and commented
Most modern frameworks provide a convenience mechanism for binding form data to a domain object. Spring MVC is no exception.
While such a function is certainly indispensable, it exposes the application to the risk of a mass assignment vulnerability http://www.hpenterprisesecurity.com/vulncat/en/vulncat/java/mass_assignment_sensitive_field_exposure.html
A very serious vulnerability, this is actually how GitHub got hacked back in 2012 http://www.infoq.com/news/2012/03/GitHub-Compromised
Currently, Spring MVC does address this issue by providing two methods:
http://docs.spring.io/autorepo/docs/spring-framework/3.1.x/javadoc-api/org/springframework/validation/DataBinder.html#setAllowedFields%28java.lang.String...%29
http://docs.spring.io/autorepo/docs/spring-framework/3.1.x/javadoc-api/org/springframework/validation/DataBinder.html#setDisallowedFields%28java.lang.String...%29
While obviously a step in the right direction, this approach is not always optimal, the reason being the developer must set this in each controller using @InitBinder. This duplicates effort and is error prone.
One alternative for the developer is to create Data Transfer Objects (DTOs). While this does indeed provide protection, as well as other architectural benefits, it is not practiced by many developers.
I believe the optimal way to address this is to do something similar to what the the Play Framework does by providing a @NoBind annotation: https://www.playframework.com/documentation/1.4.x/controllers#nobinding
public class User extends Model {
@NoBinding("profile") public boolean isAdmin;
@As("dd, MM yyyy") Date birthDate;
public String name;
}public static void editProfile(@As("profile") User user) {
// ...
}Expressing these constraints directly in the domain object using annotations seems optimal from both a development and security auditing point of view
Thoughts?
Issue Links:
2 votes, 5 watchers
Anton Abashkin opened SPR-13835 and commented
Most modern frameworks provide a convenience mechanism for binding form data to a domain object. Spring MVC is no exception.
While such a function is certainly indispensable, it exposes the application to the risk of a mass assignment vulnerability http://www.hpenterprisesecurity.com/vulncat/en/vulncat/java/mass_assignment_sensitive_field_exposure.html
A very serious vulnerability, this is actually how GitHub got hacked back in 2012 http://www.infoq.com/news/2012/03/GitHub-Compromised
Currently, Spring MVC does address this issue by providing two methods:
http://docs.spring.io/autorepo/docs/spring-framework/3.1.x/javadoc-api/org/springframework/validation/DataBinder.html#setAllowedFields%28java.lang.String...%29
http://docs.spring.io/autorepo/docs/spring-framework/3.1.x/javadoc-api/org/springframework/validation/DataBinder.html#setDisallowedFields%28java.lang.String...%29
While obviously a step in the right direction, this approach is not always optimal, the reason being the developer must set this in each controller using
@InitBinder. This duplicates effort and is error prone.One alternative for the developer is to create Data Transfer Objects (DTOs). While this does indeed provide protection, as well as other architectural benefits, it is not practiced by many developers.
I believe the optimal way to address this is to do something similar to what the the Play Framework does by providing a
@NoBindannotation: https://www.playframework.com/documentation/1.4.x/controllers#nobindingExpressing these constraints directly in the domain object using annotations seems optimal from both a development and security auditing point of view
Thoughts?
Issue Links:
2 votes, 5 watchers