What is the solution for Mass Assignment: Insecure Binder Configuration Vulnerability?

I have this Controller in Java:

@Controller
public class AuthenticationController extends AbstractController { @RequestMapping(value = Constantes.MAPPING_AUTH_BASE_ASP, method = { RequestMethod.POST }) public String authenticate(@Valid ComunicationWithAspRequest comunicationWithAspRequest, BindingResult result, RedirectAttributes redirectAttributes, HttpSession sesion) throws Exception { ... ... ... }
}

When I scan my code in Fortify, the object comunicationWithAspRequest causes the Mass Assignment: Insecure Binder Configuration Vulnerability. Is possible to control which HTTP request parameters will be used in the binding process and which ones will be ignored?

2 Answers

You may refer to the problem Prevent mass assignment in Spring MVC with Roo.

In your case, you can use @InitBinder provided by Spring MVC. @InitBinder would specify the white list for json and bean mapping.

In my experience, I used @RequestBody for auto-binding. I need to add @JsonIgnore to specify the property that would not include for the mapping.

SimpleController.java

@RequestMapping(value="/simple")
public String simple(@Valid @RequestBody User user){ simpleService.doSomething();
}

User.java

public class User{ private String name; @JsonIgnore private String dummy; public void getName(){return name;} public void setName(name){this.name = name;} public void getDummy(){return dummy;} public void setDummy(dummy){this.dummy= dummy;}
}
9

By adding @JsonIgnoreProperties(ignoreUnknown = true) annotation on the class level the issue can be resolve in case we don't know what to ignore.

@JsonIgnoreProperties(ignoreUnknown = true)
public class className{
}

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge that you have read and understand our privacy policy and code of conduct.

You Might Also Like