当前位置:theitroad>java 批量分配:不安全的 Binder 配置漏洞的解决方案是什么?

java 批量分配:不安全的 Binder 配置漏洞的解决方案是什么?

声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow 原文地址: http://stackoverflow.com/questions/46840174/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me): StackOverFlow

提示:将鼠标放在中文语句上可以显示对应的英文。显示中英文
时间:2020-11-03 09:22:26  来源:igfitidea点击:

What is the solution for Mass Assignment: Insecure Binder Configuration Vulnerability?

javafortify

提问by Brayan Reyes

I have this Controller in Java:

我在 Java 中有这个控制器:

@Controller
public class AuthenticationController extends AbstractController {

  @RequestMapping(value = Constantes.MAPPING_AUTH_BASE_ASP, method = { RequestMethod.POST })
  public String authenticate(@Valid ComunicationWithAspRequest comunicationWithAspRequest, BindingResult result,
      RedirectAttributes redirectAttributes, HttpSession sesion) throws Exception {
    ...
    ...
    ...
  }
}

When I scan my code in Fortify, the object comunicationWithAspRequest causes the Mass Assignment: Insecure Binder Configuration Vulnerability. Is possible to control which HTTP request parameters will be used in the binding process and which ones will be ignored?

当我在 Fortify 中扫描我的代码时,对象 comunicationWithAspRequest 会导致 Mass Assignment: Insecure Binder Configuration Vulnerability。是否可以控制绑定过程中使用哪些 HTTP 请求参数,忽略哪些?

回答by Ben Cheng

You may refer to the problem Prevent mass assignment in Spring MVC with Roo.

您可以参考问题防止在 Spring MVC 中使用 Roo 进行批量分配

In your case, you can use @InitBinderprovided by Spring MVC. @InitBinderwould specify the white list for json and bean mapping.

在您的情况下,您可以使用Spring MVC 提供的@InitBinder@InitBinder将指定 json 和 bean 映射的白名单。

In my experience, I used @RequestBodyfor auto-binding. I need to add @JsonIgnoreto specify the property that would not include for the mapping.

根据我的经验,我使用@RequestBody进行自动绑定。我需要添加@JsonIgnore来指定不包含在映射中的属性。

SimpleController.java

简单控制器.java

@RequestMapping(value="/simple")
public String simple(@Valid @RequestBody User user){
   simpleService.doSomething();
}

User.java

用户.java

public class User{
   private String name;

   @JsonIgnore
   private String dummy;

   public void getName(){return name;}
   public void setName(name){this.name = name;}
   public void getDummy(){return dummy;}
   public void setDummy(dummy){this.dummy= dummy;}

}

相关推荐

java 如何使用appium和java向下滚动以单击Android中的元素?

java 如何使用appium和java向下滚动以单击Android中的元素?

java Spring 5 - 如何提供静态资源

java Spring 5 - 如何提供静态资源

java Spring Data JPA - 在日期之前和之后构建查询

java Spring Data JPA - 在日期之前和之后构建查询

java 如何在android中安全地存储加密密钥?

java 如何在android中安全地存储加密密钥?

相关推荐
最近更新
标签