质量分配的解决方案是什么：不安全的Binder配置漏洞？ [英] What is the solution for Mass Assignment: Insecure Binder Configuration Vulnerability?

问题描述

我在Java中使用此控制器：

I have this Controller in Java:

@Controller
public class AuthenticationController extends AbstractController {

  @RequestMapping(value = Constantes.MAPPING_AUTH_BASE_ASP, method = { RequestMethod.POST })
  public String authenticate(@Valid ComunicationWithAspRequest comunicationWithAspRequest, BindingResult result,
      RedirectAttributes redirectAttributes, HttpSession sesion) throws Exception {
    ...
    ...
    ...
  }
}

当我在Fortify中扫描我的代码时，对象comunicationWithAspRequest会导致批量分配：不安全的Binder配置漏洞。是否可以控制哪些HTTP请求参数将在绑定过程中使用以及哪些将被忽略？

When I scan my code in Fortify, the object comunicationWithAspRequest causes the Mass Assignment: Insecure Binder Configuration Vulnerability. Is possible to control which HTTP request parameters will be used in the binding process and which ones will be ignored?

推荐答案

您可以参考解决问题防止使用Roo在Spring MVC中进行质量分配。

You may refer to the problem Prevent mass assignment in Spring MVC with Roo.

在您的情况下，您可以使用Spring MVC提供的 @InitBinder 。 @InitBinder 会为json和bean映射指定白名单。

In your case, you can use @InitBinder provided by Spring MVC. @InitBinder would specify the white list for json and bean mapping.

根据我的经验，我使用 @RequestBody 进行自动绑定。我需要添加 @JsonIgnore 来指定不包含在映射中的属性。

In my experience, I used @RequestBody for auto-binding. I need to add @JsonIgnore to specify the property that would not include for the mapping.

SimpleController.java

@RequestMapping(value="/simple")
public String simple(@Valid @RequestBody User user){
   simpleService.doSomething();
}

User.java

public class User{
   private String name;

   @JsonIgnore
   private String dummy;

   public void getName(){return name;}
   public void setName(name){this.name = name;}
   public void getDummy(){return dummy;}
   public void setDummy(dummy){this.dummy= dummy;}

}

这篇关于质量分配的解决方案是什么：不安全的Binder配置漏洞？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！