MVC违反安全规则 - 动态确定对象属性的控制不当修改 [英] MVC Security Violation - Improperly Controlled Modification of Dynamically-Determined Object Attributes

问题描述

我们正在开发一个MVC 5应用，虽然我们跑了安全扫描使用的维拉code 我们得到以下缺陷话说

We are developing an MVC 5 Application and while we ran security scan using Veracode we are getting the below flaw saying

动态确定对象的控制不当修改属性

和增加<一个href=\"http://www.asp.net/mvc/overview/getting-started/getting-started-with-ef-using-mvc/implementing-basic-crud-functionality-with-the-entity-framework-in-asp-net-mvc-application#overpost\"相对=nofollow> 这个 作为参考链接来修复。

And added this link as reference to fix.

试过实施绑定属性，以我的控制器，提供HTTP POST和问题的功能是固定的。

Tried implementing Bind Attribute to my Controllers functions with HTTP Post and the issue is fixed.

因此​​，在 ASP.NET MVC 是强制使用绑定属性的所有帖子，以避免安全违规？

So in ASP.NET MVC is it mandatory to use Bind Attribute for all the Post to avoid security violation ?

我也可以忽略此缺陷或任何其他替代办法可以解决这个硬编码和维护绑定属性真正得到难以实时应用。

Or can i ignore this flaw or any other alternative way i can address this as hard coding and maintaining Bind Attributes really gets difficult in real time applications.

请分享你的观点。

推荐答案

不强制使用绑定属性。

你所发布的链接，基本上他们可以想出最脏的例子。它们直接绑定的EF模型到控制器，这是任何现实世界的应用程序会做，我恨Miscrosoft他们告诉你如何轻松地就可以从数据库到网络应用最脏最差实践模式没有解释，这是不是你想在现实生活中的事情。

The link which you have posted is basically the dirtiest example they could have came up with. They are directly binding an EF model into the controller, which no real world application would do and I hate Miscrosoft where they show you how easily you can go from DB to Web by applying the dirtiest worst practise patterns without explaining that this is not something you would want to do in real life.

在现实生活中，你会创建一个是专为您的视图中（视图）模型。这意味着类只会有你想要从请求接受的属性，因此，你不会真的需要在大多数情况下，绑定属性。

In real life you would create a (View)Model which is tailored to your View. This means the class will ONLY have the properties which you want to accept from the request, therefore you wouldn't really need the Bind attribute in most cases.

EF车型低水平类的数据层，不应该被绑定到任何IMO的控制器。

EF models are low level classes in your data layer and shouldn't be bound to any controllers IMO.

更新：
实际上链接的顶部，他们已经张贴这样的：

UPDATE: Actually on the top of the link they have posted this:

请注意这是实现在存储库模式的普遍做法
  为了创建控制器和之间的抽象层
  数据访问层。为了使这些教程简单而专注于
  教学中如何使用实体框架本身，他们不使用
  库。有关如何实现存储库的信息，请参阅
  ASP.NET的数据访问内容结构图。

Note It's a common practice to implement the repository pattern in order to create an abstraction layer between your controller and the data access layer. To keep these tutorials simple and focused on teaching how to use the Entity Framework itself, they don't use repositories. For information about how to implement repositories, see the ASP.NET Data Access Content Map.

然而，这仅仅是在谈论存储库模式，这是一个很好的模式，以抽​​象的数据层，但存储库模式将返回DTO仍然是绑定到一个视图过低的水平。

However, this is just talking about the repository pattern, which is a good pattern to abstract your data layer, but the DTO which the repository pattern would return is still too low level for binding to a View.

您应该创建这是适合您的视图和控制器或服务层，你可以做不同层之间的基础设施映射模型。

You should create a model which is tailored to your view and in your controller or service layer you can do the infrastructure mapping between the different layers.

这篇关于MVC违反安全规则 - 动态确定对象属性的控制不当修改的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！