7

I have this Controller in Java:

@Controller
public class AuthenticationController extends AbstractController {

  @RequestMapping(value = Constantes.MAPPING_AUTH_BASE_ASP, method = { RequestMethod.POST })
  public String authenticate(@Valid ComunicationWithAspRequest comunicationWithAspRequest, BindingResult result,
      RedirectAttributes redirectAttributes, HttpSession sesion) throws Exception {
    ...
    ...
    ...
  }
}

When I scan my code in Fortify, the object comunicationWithAspRequest causes the Mass Assignment: Insecure Binder Configuration Vulnerability. Is possible to control which HTTP request parameters will be used in the binding process and which ones will be ignored?

Brayan Reyes
  • 75
  • 1
  • 2
  • 6

2 Answers2

9

You may refer to the problem Prevent mass assignment in Spring MVC with Roo.

In your case, you can use @InitBinder provided by Spring MVC. @InitBinder would specify the white list for json and bean mapping.

In my experience, I used @RequestBody for auto-binding. I need to add @JsonIgnore to specify the property that would not include for the mapping.

SimpleController.java

@RequestMapping(value="/simple")
public String simple(@Valid @RequestBody User user){
   simpleService.doSomething();
}

User.java

public class User{
   private String name;

   @JsonIgnore
   private String dummy;

   public void getName(){return name;}
   public void setName(name){this.name = name;}
   public void getDummy(){return dummy;}
   public void setDummy(dummy){this.dummy= dummy;}

}
Ben Cheng
  • 769
  • 10
  • 25
  • I was searching solution for same fortify mass assignment issue, whitelisting and black listing is a tedious task for my application.Is there any other way to fix this other than spring @InitBinder ? – Shibina EC Jun 14 '18 at 10:17
  • In my project, i just use a dirty way to solve this issue. ie. @JsonIgnore – Ben Cheng Jun 15 '18 at 02:22
  • I tried JsonView which works for my project more than JsonIgnore since the objects are used for more than 1 endpoint. Yet Fortify doesn't seem to recognize it – bourne2program Jan 18 '19 at 16:32
  • 1
    One more finding is that, Fortify is actually just to do scan to pop you warning. Some issue may not is solved, you just need to accept it with reason. – Ben Cheng Jan 19 '19 at 07:25
  • In my project, I have used something like @JsonIgnoreProperties(ignoreUnknown=true) – viveknaskar Jul 10 '19 at 09:08
  • Could @JsonIgnoreProperties(ignoreUnknown=true) fix the issue in fortify? – Ben Cheng Jul 10 '19 at 12:51
  • @BenCheng Is there any solution for spring boot application for this issue? – mvm Oct 01 '19 at 11:53
  • @nvm as I know, the same solution would be applied. – Ben Cheng Oct 04 '19 at 12:12
  • @BenCheng I have implemented InitBinder in controller and JsonIgnoreProperties in Bean, but still the issue in fortify. Is there any option to solve this issue? – mvm Oct 08 '19 at 13:06
2

By adding @JsonIgnoreProperties(ignoreUnknown = true) annotation on the class level the issue can be resolve in case we don't know what to ignore.

@JsonIgnoreProperties(ignoreUnknown = true)
public class className{

}
lbndvs
  • 61
  • 9