防止恶意用户在添加操作时更新数据 [英] Preventing malicious users update data at add action

问题描述

这是一个基本的添加操作：

 公共函数add（）
 {
 $ article = $ this-> Articles-> newEntity（）; 
 
 if（$ this-> request-> is（'post'））{
 $ article = $ this-> Articles> patchEntity（$ article，$ this ->请求->数据）； 
 
 if（$ this-> Articles-> save（$ article））{
 $ this-> Flash-> success（ Success。）； 
返回$ this-> redirect（['action'=>'index']）; 
}否则{
 $ this-> Flash->错误（失败。）； 
} 
} 
 
 $ this-> set（compact（’article’））; 
} 
  

如果恶意用户在表格中注入名称为 id 并将此字段的值设置为 2 。由于用户这样做，因此id值将位于 $ this-> request->数据中，因此位于 $ this-> Articles-> ; patchEntity（$ article，$ this-> request-> data）此 id 会被修补，并位于 $ this-> Articles-> save（$ article）记录 2 会被更新，而不是创建新记录？

解决方案

依赖。

Entity :: $ _accessible

如果烘焙了模型，则不会发生这种情况，因为主键字段不会包含在实体 _accessible 属性，该属性定义可以为 在创建/修补实体时分配的质量 。（此行为最近已更改）

如果烘焙了模型，则不应发生这种情况，因为主键字段将被设置为不可分配的在实体 _accessible 属性中，这意味着这些字段不能通过 在创建/修补实体时进行质量分配 。

如果没有烘焙您的模型并且没有定义 _accessible 属性，或者没有向其中添加主键字段，那么可以，如果发布的数据将其添加到补丁中机制，然后将发生这种情况，您将得到 UPDATE 而不是 INSERT 。

安全组件

安全组件 将阻止 篡改表单 ，并拒绝修改表单的请求。如果要使用它，那么表单数据就不会首先使用 add（）方法。

还有 fieldList 选项

fieldList 选项 可以在创建/修补实体时使用，以指定允许在实体上设置的字段。稀疏 id 字段，无法再对其进行注入。

  $ article = $ this-> Articles-> patchEntity（$ article，$ this-> request-> data，[
'fieldList'=> [
'title'，
'body'，
 // ... 
] 
]）; 
  

最后，验证

验证 也可以防止注入，但是可能被认为有点笨拙。例如，一个自定义规则仅返回 false 即可，您可以创建一个附加的验证器，例如

 公共函数validateAdd（Validator $ validator）{
 return 
 $ this-> validationDefault（$ validator）
-> add（'id'， ''mustNotBePresent'，['rule'=> function（）{
 return false; 
}]））; 
} 
  

然后在修补像

$ b这样的实体时可以使用
$ b

  $ article = $ this-> Articles-> patchEntity（$ article，$ this-> request-> data，[
'validate'=>'add'
]）; 
  

Here is a basic add action:

public function add()
{
    $article = $this->Articles->newEntity();

    if ($this->request->is('post')) {
        $article = $this->Articles->patchEntity($article, $this->request->data);

        if ($this->Articles->save($article)) {
            $this->Flash->success('Success.');
            return $this->redirect(['action' => 'index']);
        } else {
            $this->Flash->error('Fail.');    
        }
    }

    $this->set(compact('article'));
}

If a malicious user injects at form a field with name id and set the value of this field to 2. Since the user do that the id value will be in $this->request->data so at $this->Articles->patchEntity($article, $this->request->data) this id will be patched and at $this->Articles->save($article) the record 2 will be updated instead of create a new record??

解决方案

Depends.

Entity::$_accessible

If you baked your models, then this shouldn't happen, as the primary key field will not be included in the entities _accessible property, which defines the fields that can be mass assigned when creating/patching entities. (this behavior changed lately)

If you baked your models, then this shouldn't happen, as the primary key field(s) will be set to be non-assignable in the entities _accessible property, which means that these the fields cannot be set via mass assignment when creating/patching entities.

If you didn't baked your models and haven't defined the _accessible property, or added the primary key field to it, then yes, in case the posted data makes it to the patching mechanism, then that is what will happen, you'll be left with an UPDATE instead of an INSERT.

The Security component

The Security component will prevent form tampering, and reject requests with modified forms. If you'd use it, then the form data wouldn't make it to the add() method in the first place.

There's also the fieldList option

The fieldList option can be used when creating/patching entities in order to specifiy the fields that are allowed to be set on the entity. Sparse out the id field, and it cannot be injected anymore.

$article = $this->Articles->patchEntity($article, $this->request->data, [
    'fieldList' => [
        'title',
        'body',
        //...
    ]
]);

And finally, validation

Validation can prevent injections too, however that might be considered a little wonky. A custom rule that simply returns false would for example do it, you could create an additional validator, something like

public function validationAdd(Validator $validator) {
    return
        $this->validationDefault($validator)
            ->add('id', 'mustNotBePresent', ['rule' => function() {
                return false;
            }]);
}

which could then be used when patching the entity like

$article = $this->Articles->patchEntity($article, $this->request->data, [
    'validate' => 'add'
]);

这篇关于防止恶意用户在添加操作时更新数据的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！