HP Fortify-批量分配 [英] HP Fortify - Mass assignment

问题描述

HP强化扫描为我的控制器中的大多数操作方法提供了以下信息:质量分配:不安全的活页夹配置(API滥用，结构化).下面是操作方法的示例.

HP fortify scan gives me a message as Mass Assignment: Insecure Binder Configuration ( API Abuse, Structural ) for most of the Action Methods in my controller. Below is the example of the action method.

<HttpPost>
Function Edit(model as GridViewModel)
Dim manager as new Managers
manager.Edit(model.id, model.name, model.desc,model.class)
Return Nothing
End Function

当我尝试以下方法时，错误消失了.

When I tried following method the error was gone.

<HttpPost>
Function Edit(id as integer?,name as string, desc as string, class as string)
Dim manager as new Managers
manager.Edit(id, name, desc,class)
Return Nothing
End Function

但是上面的代码似乎是MVC的不良做法. 请提出解决此问题的方法.

But above code seems to be MVC bad practices. Please do suggest a method to overcome this issue.

推荐答案

在C#中，您可以指定允许模型中的哪些项.例如，您的例程在c#中如下所示:

In C#, you can specify which items in the model will be allowed in. For example, your routine would look like this in c#:

[HttpPost]
public ActionResult Edit([Bind(Include = "id,name,desc,class")] GridviewModel model)
{
	Managers manager = new Managers();
	manager.Edit(model.id, model.name, model.desc, model.class);

	return RedirectToAction("Edit", "[Controller]");
}

这至少应该给您一个跳点，以研究您所写的语言，看看它们是否允许相同的动作.

This should at least give you a jumping point to research the language you are writing in to see if they allow the same action.

除了可以包含特定参数(白名单)之外，您还可以通过使用[Bind(Exclude =")]

In addition to being able to include specific parameters (whitelisting) you can also exclude parameters simply by using [Bind(Exclude = "")]

这篇关于HP Fortify-批量分配的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！