如何修复批量分配:Java 中的不安全绑定器配置(API 滥用、结构化)
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/47945383/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to fix Mass Assignment: Insecure Binder Configuration (API Abuse, Structural) in java
提问by dildeepak
I have a Controller class with the below two methods for finding a doctors (context changed). Getting the Mass Assignment: Insecure Binder Configuration (API Abuse, Structural)error on both methods.
我有一个 Controller 类,其中包含以下两种查找医生的方法(上下文已更改)。获取 批量分配:不安全的绑定器配置(API 滥用、结构)在两种方法上都存在错误。
@Controller
@RequestMapping(value = "/findDocSearch")
public class Controller {
@Autowired
private IFindDocService findDocService;
@RequestMapping(value = "/byName", method = RequestMethod.GET)
@ResponseBody
public List<FindDocDTO> findDocByName(FindDocBean bean) {
return findDocService.retrieveDocByName(bean.getName());
}
@RequestMapping(value = "/byLoc", method = RequestMethod.GET)
@ResponseBody
public List<FindDocDTO> findDocByLocation(FindDocBean bean) {
return findDocService.retrieveDocByZipCode(bean.getZipcode(),
bean.getDistance());
}
}
and my Bean is :
我的豆是:
public class FindDocBean implements Serializable {
private static final long serialVersionUID = -1212xxxL;
private String name;
private String zipcode;
private int distance;
@Override
public String toString() {
return String.format("FindDocBean[name: %s, zipcode:%s, distance:%s]",
name, zipcode, distance);
}
public String getName() {
return name;
}
public void setName(String name) {
this.name = name;
}
public String getZipcode() {
return zipcode;
}
public void setZipcode(String zipcode) {
this.zipcode = zipcode;
}
public int getDistance() {
return distance;
}
public void setDistance(int distance) {
this.distance = distance;
}
As per all the suggestions found so far, they are suggesting to restrict the bean with required parameters only by something like below :
根据迄今为止发现的所有建议,他们建议仅通过以下内容限制具有所需参数的 bean:
final String[] DISALLOWED_FIELDS = new String[]{"bean.name", "bean.zipcode", };
@InitBinder
public void initBinder(WebDataBinder binder) {
binder.setDisallowedFields(DISALLOWED_FIELDS);
But my problem is all the 3 parameters of the bean will be used in either of the method supplied on Controller.
但我的问题是 bean 的所有 3 个参数都将用于 Controller 提供的任一方法中。
Can someone please suggest some solution for this. Thanks in advance.
有人可以为此提出一些解决方案。提前致谢。
采纳答案by Mehmet Sunkur
InitBinder can be used for methods. You can try this.
InitBinder 可用于方法。你可以试试这个。
@InitBinder("findDocByName")
public void initBinderByName(WebDataBinder binder) {
binder.setDisallowedFields(new String[]{"distance","zipcode"});
}
@InitBinder("findDocByLocation")
public void initBinderByZipCode(WebDataBinder binder) {
binder.setDisallowedFields(new String[]{"distance","name"});
}
回答by Suraj Sharma
i was facing same issue, then i added below code in same rest controller class:
我遇到了同样的问题,然后我在同一个 rest 控制器类中添加了以下代码:
@InitBinder
public void populateCustomerRequest(WebDataBinder binder) {
binder.setDisallowedFields(new String[]{});
}
now its working fine for me and mass assignment issue was fixed.
现在它对我来说工作正常,批量分配问题已经解决。
回答by Micha? Zaborowski
Simple question - how your mapper can instantionate the bean? Hereis answer / example. You can pass that data by query parameter, or in header. However that would be strange. Better is to have that methods with @QueryParamproviding location, or name. That way it will be easier to protect your application.
简单的问题 - 您的映射器如何实例化 bean?这是答案/示例。您可以通过query parameter, 或 in传递该数据header。不过那会很奇怪。更好的是使用@QueryParam提供位置或名称的方法。这样可以更轻松地保护您的应用程序。
As a side note, query has limited length, so if your search form is big and strange, @POSTcan be good idea, and that way you can pass all the data. For this, simple example that would be overkill.
作为旁注,查询的长度是有限的,所以如果您的搜索表单又大又奇怪,这@POST可能是个好主意,这样您就可以传递所有数据。对于这个,简单的例子是矫枉过正的。
回答by Christian Frommeyer
This looks like an unfortunate false positive. The rule behind this error is made to avoid that properties present in an object but not intended to be (unvalidated) user input are accidentallypopulated from a web request. An example would be a POST request creating a resource. If the request handler takes the full resource object and fills only missing properties an malicious user could populate fields that she shouldn't be able to edit.
这看起来像是一个不幸的误报。此错误背后的规则是为了避免对象中存在但不打算作为(未经验证的)用户输入的属性被意外地从 Web 请求填充。一个示例是创建资源的 POST 请求。如果请求处理程序获取完整的资源对象并仅填充缺失的属性,则恶意用户可能会填充她不应编辑的字段。
This case however does not match the scheme. You just use the same mechanism to capture your different arguments. Additionally populated properties will not even be read. In
然而,这种情况与方案不匹配。您只需使用相同的机制来捕获不同的参数。另外填充的属性甚至不会被读取。在
GET http://yourhost/findDocSearch/byName?name=Abuse&zipCode=11111
GET http://yourhost/findDocSearch/byName?name=Abuse&zipCode=11111
the additional zipCode would just be ignored. Therefore the assumed risk is not present here.
额外的邮政编码将被忽略。因此,这里不存在假定的风险。
To fixthe warning, you could mark it as a false positive (if this is possible inside your setup). If that is not possible you could also just map the query parameters to method arguments directly. As you only have limited parameters that should not harm too much. If this is also no option you probably need to figure out the exact algorithm your code analysis uses to figure out what checks it will recognize. Unfortunately most scanners are only able to discover a limited set of ways to do input validation.
要修复警告,您可以将其标记为误报(如果在您的设置中可能的话)。如果这是不可能的,您也可以直接将查询参数映射到方法参数。因为您只有有限的参数,不会造成太大伤害。如果这也不是选项,您可能需要弄清楚您的代码分析使用的确切算法来确定它将识别哪些检查。不幸的是,大多数扫描器只能发现一组有限的方法来进行输入验证。
