How to fix Mass Assignment: Insecure Binder Configuration (API Abuse, Structural) in java
InitBinder can be used for methods. You can try this.
@InitBinder("findDocByName")
public void initBinderByName(WebDataBinder binder) {
binder.setDisallowedFields(new String[]{"distance","zipcode"});
}
@InitBinder("findDocByLocation")
public void initBinderByZipCode(WebDataBinder binder) {
binder.setDisallowedFields(new String[]{"distance","name"});
}
What is the solution for Mass Assignment: Insecure Binder Configuration Vulnerability?
You may refer to the problem Prevent mass assignment in Spring MVC with Roo.
In your case, you can use @InitBinder provided by Spring MVC. @InitBinder would specify the white list for json and bean mapping.
In my experience, I used @RequestBody for auto-binding. I need to add @JsonIgnore to specify the property that would not include for the mapping.
SimpleController.java
@RequestMapping(value="/simple")
public String simple(@Valid @RequestBody User user){
simpleService.doSomething();
}
User.java
public class User{
private String name;
@JsonIgnore
private String dummy;
public void getName(){return name;}
public void setName(name){this.name = name;}
public void getDummy(){return dummy;}
public void setDummy(dummy){this.dummy= dummy;}
}
mass assignment insecure binder configuration Rest framework , JSON http request :I am not using Spring MVC
This can be implemeted via Jacksonson . Jackson is one of the best JSON Providers/parsers and can be used with Jersey in Rest implemetation.The REST services will produce and consume JSON and the JSON serialization and de-serialization happens automatically behind the scenes
Create View class as :
public class View {
public static class Editable {}
public static class Viewable extends Editable {}
public static class Internal extends Viewable {}
}
Create Model class as :
@JsonIgnoreProperties(ignoreUnknown = true)
@XmlRootElement(name = "activateService")
public class ActivateService implements Serializable {
@JsonView(View.Editable.class)
public String mWalletToken;
@JsonView(View.Editable.class)
public String topMerchantEMPID;
@JsonView(View.Editable.class)
public String serviceCategory;
}
and the Rest -full web service method :
@POST
@Path("/TimRestService")
@Consumes({MediaType.APPLICATION_JSON})
@Produces({MediaType.APPLICATION_JSON})
public Response crunchifyREST(@JsonView(View.Editable.class) final ActivateService model, @Context HttpServletRequest request) {
In JAX-RS, if one model(either request or response) is annotated with @JsonView(View.Editable.class), in our case add method, Jackson will only serialize or deserialize fields that are annotated with @JsonView(View.Editable.class).
In our case, client can only pass editableField, if client pass any other fields, server will just silently ignore them.
Use below dependencies in pom.xml
<!-- https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-
databind -->
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.9.5</version>
</dependency>
<!-- https://mvnrepository.com/artifact/com.sun.jersey/jersey-json -->
<dependency>
<groupId>com.sun.jersey</groupId>
<artifactId>jersey-json</artifactId>
<version>1.19.4</version>
</dependency>
Source :- https://www.owasp.org/index.php/Mass_Assignment_Cheat_Sheet
and http://lifelongprogrammer.blogspot.com/2015/09/using-jackson-view-to-protect-mass-assignment.html
Mass Assignment: Insecure Binder Configuration with Fortify Java 1.8 EJB
Do you expect all fields to be present in request? You are using @Valid
annotation but there are no validation annotations in MyClassRequest
model. Try to add some validation annotations like @JsonIgnore
for non mandatory fields. Or @JsonInclude
on class. If this does not help, may be also try explicitly adding @JsonProperty
on each field.
Related Topics
How to Use Jackson to Deserialise an Array of Objects
How to Increase the Java Heap Size Permanently
Could Not Extract Resultset in Hibernate
Spring Junit: How to Mock Autowired Component in Autowired Component
Spring Boot - Post Method Not Allowed, But Get Works
Java: How to Ask User If He/She Wants to Continue Program
How to Send List of Long to Rest Controller Spring Boot
Java 8 Streams - How to Merge Elements from the List With the Same Fields to One Element and Sum Up
Shifting Characters Within a String
Wrong Answer in Task - Mistake in Algorithm
Arraylist: How Does the Size Increase
Reverse a String Without Affecting Special Characters
Could Not Read Json: Can Not Deserialize Instance of Hello.Country[] Out of Start_Object Token
How to Return a HTML Page from a Restful Controller in Spring Boot
How to Replace Every N-Th Character X from an String