4

I am starting a new project with Spring Roo. I have found that the MVC controllers that it generates are vulnerable to mass assignment. I wonder if there is a standard way to allow only certain fields from being updated. I am thinking about using @InitBinder, but I don't know if it is the best approach.

I have the impression that this issue and CSRF prevention are overlooked in most of the Java EE frameworks that I know. Even worse, these vulnerabilities are often found even in their own sample code.

Side note: I already know HDIV, but I don't want to "uglify" my nice REST URLs except for CSRF prevention.

Arjan Tijms
  • 37,782
  • 12
  • 108
  • 140
Manolo Santos
  • 1,915
  • 1
  • 14
  • 25
  • >CSRF prevention are overlooked in most of the Java EE frameworks - JSF hasn't really overlooked this. It by design only accepts data that has also been rendered. – Arjan Tijms Jul 20 '12 at 22:50
  • @ArjanTijms I haven't worked with JSF for a long time, but it seems that this ViewState feature doesn't protect from CSRF, at least not in every JSF implementation. http://www.seamframework.org/Documentation/CrossSiteRequestForgery#H-ProtectingJSFPostbacks – Manolo Santos Jul 23 '12 at 13:05
  • @ManaloSantos Thanks for the link. There are actually two security issues here: *mass assignment (MA)* and *CSRF*. AFAIK JSF, for all standard components, always protects against MA. It matches IDs of submitted components against IDs that were rendered, by simply executing the exact same algo at the postback as it does for rendering. Additionally select components explicitly check after a postback whether the submitted value is within the select items list attached to it. E.g. it will only accept 'Foo' if 'Foo' is in that list at the moment of the postback. – Arjan Tijms Jul 23 '12 at 20:14
  • @ManaloSantos Then about CSRF, it's a different kind of attack. JSF 2.1 and before has an implicit protection against this via the view state that must be present. `facelets.BUILD_BEFORE_RESTORE` compromises that, but it's not the default. From JSF 2.2 on there's an explicit security token to prevent this attack. See http://jdevelopment.nl/jsf-22/#869 and http://java.net/jira/browse/JAVASERVERFACES-1028 – Arjan Tijms Jul 23 '12 at 20:21
  • I was searching solution for same fortify mass assignment issue, whitelisting and black listing is a tedious task for my application.Is there any other way to fix this other than spring @InitBinder? – Shibina EC Jun 14 '18 at 10:24

1 Answers1

1

There is no nice solution to this problem, options:

  • create form or DTO objects that have fields for only what is in the form (but that will not work well with spring roo)
  • use 2 instances of the object, the form instance and the database instance, then copy only the fields that were in the form page from the form instance to the db instance

This article here could be used to help solve the mass assignment problem: http://blog.42.nl/articles/leveraging-the-spring-mvc-3.1-handlermethodargumentresolver-interface/

Solubris
  • 3,603
  • 2
  • 22
  • 37