I have this Controller in Java:

@Controller public class AuthenticationController extends AbstractController { @RequestMapping(value = Constantes.MAPPING_AUTH_BASE_ASP, method = { RequestMethod.POST }) public String authenticate(@Valid ComunicationWithAspRequest comunicationWithAspRequest, BindingResult result, RedirectAttributes redirectAttributes, HttpSession sesion) throws Exception { ... ... ... } } 

When I scan my code in Fortify, the object comunicationWithAspRequest causes the Mass Assignment: Insecure Binder Configuration Vulnerability. Is possible to control which HTTP request parameters will be used in the binding process and which ones will be ignored?

2 Answers

You may refer to the problem Prevent mass assignment in Spring MVC with Roo.

In your case, you can use @InitBinder provided by Spring MVC. @InitBinder would specify the white list for json and bean mapping.

In my experience, I used @RequestBody for auto-binding. I need to add @JsonIgnore to specify the property that would not include for the mapping.

SimpleController.java

@RequestMapping(value="/simple") public String simple(@Valid @RequestBody User user){ simpleService.doSomething(); } 

User.java

public class User{ private String name; @JsonIgnore private String dummy; public void getName(){return name;} public void setName(name){this.name = name;} public void getDummy(){return dummy;} public void setDummy(dummy){this.dummy= dummy;} } 
9

By adding @JsonIgnoreProperties(ignoreUnknown = true) annotation on the class level the issue can be resolve in case we don't know what to ignore.

@JsonIgnoreProperties(ignoreUnknown = true) public class className{ } 

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge that you have read and understand our privacy policy and code of conduct.