How to fix Mass Assignment: Insecure Binder Configuration (API Abuse, Structural) in java

Question

I have a Controller class with the below two methods for finding a doctors (context changed). Getting the Mass Assignment: Insecure Binder Configuration (API Abuse,

Answer 1

InitBinder can be used for methods. You can try this.

@InitBinder("findDocByName")
public void initBinderByName(WebDataBinder binder) {
    binder.setDisallowedFields(new String[]{"distance","zipcode"});
}


@InitBinder("findDocByLocation")
public void initBinderByZipCode(WebDataBinder binder) {
    binder.setDisallowedFields(new String[]{"distance","name"});
}

Answer 2

i was facing same issue, then i added below code in same rest controller class:

@InitBinder
public void populateCustomerRequest(WebDataBinder binder) {
    binder.setDisallowedFields(new String[]{});
}

now its working fine for me and mass assignment issue was fixed.

Answer 3

This looks like an unfortunate false positive. The rule behind this error is made to avoid that properties present in an object but not intended to be (unvalidated) user input are accidentally populated from a web request. An example would be a POST request creating a resource. If the request handler takes the full resource object and fills only missing properties an malicious user could populate fields that she shouldn't be able to edit.

This case however does not match the scheme. You just use the same mechanism to capture your different arguments. Additionally populated properties will not even be read. In

GET http://yourhost/findDocSearch/byName?name=Abuse&zipCode=11111

the additional zipCode would just be ignored. Therefore the assumed risk is not present here.

To fix the warning, you could mark it as a false positive (if this is possible inside your setup). If that is not possible you could also just map the query parameters to method arguments directly. As you only have limited parameters that should not harm too much. If this is also no option you probably need to figure out the exact algorithm your code analysis uses to figure out what checks it will recognize. Unfortunately most scanners are only able to discover a limited set of ways to do input validation.

Answer 4

Simple question - how your mapper can instantionate the bean? Here is answer / example. You can pass that data by query parameter, or in header. However that would be strange. Better is to have that methods with @QueryParam providing location, or name. That way it will be easier to protect your application.

As a side note, query has limited length, so if your search form is big and strange, @POST can be good idea, and that way you can pass all the data. For this, simple example that would be overkill.