问题
I have this Controller in Java:
@Controller
public class AuthenticationController extends AbstractController {
@RequestMapping(value = Constantes.MAPPING_AUTH_BASE_ASP, method = { RequestMethod.POST })
public String authenticate(@Valid ComunicationWithAspRequest comunicationWithAspRequest, BindingResult result,
RedirectAttributes redirectAttributes, HttpSession sesion) throws Exception {
...
...
...
}
}
When I scan my code in Fortify, the object comunicationWithAspRequest causes the Mass Assignment: Insecure Binder Configuration Vulnerability. Is possible to control which HTTP request parameters will be used in the binding process and which ones will be ignored?
回答1:
You may refer to the problem Prevent mass assignment in Spring MVC with Roo.
In your case, you can use @InitBinder provided by Spring MVC. @InitBinder would specify the white list for json and bean mapping.
In my experience, I used @RequestBody for auto-binding. I need to add @JsonIgnore to specify the property that would not include for the mapping.
SimpleController.java
@RequestMapping(value="/simple")
public String simple(@Valid @RequestBody User user){
simpleService.doSomething();
}
User.java
public class User{
private String name;
@JsonIgnore
private String dummy;
public void getName(){return name;}
public void setName(name){this.name = name;}
public void getDummy(){return dummy;}
public void setDummy(dummy){this.dummy= dummy;}
}
来源:https://stackoverflow.com/questions/46840174/what-is-the-solution-for-mass-assignment-insecure-binder-configuration-vulnerab