1

I am implementing a rest-full Web service with Jersey which accepts http request from client in json form.

On fortify scan I am getting critical issue :-"mass assignment insecure binder configuration".

I want to bind the json values in htttp request to the model class in my server side code and since it is a small module I want to avoid using Spring MVC framework.

Below is my code snippet which is working fine but I need to map json request to model class below without using Spring MVC.

@POST
@Path("/TimRestService")
@Consumes({MediaType.APPLICATION_JSON})
@Produces({MediaType.APPLICATION_JSON})
public Response crunchifyREST**(JsonObject model**, @Context HttpServletRequest request) {


    System.out.println(model);

    return Response.status(200).entity(model).build();

}

This is the model class :-

public class ActivateService  {

public String mWalletToken;
public String topMerchantEMPID;
public String serviceCategory;
}

I checked these links , however the answer is more specific to Spring MVC fmwrk:

What is the solution for Mass Assignment: Insecure Binder Configuration Vulnerability? How to fix Mass Assignment: Insecure Binder Configuration (API Abuse, Structural) in java

Prerna shah
  • 321
  • 3
  • 20

2 Answers2

1

This can be implemeted via Jacksonson . Jackson is one of the best JSON Providers/parsers and can be used with Jersey in Rest implemetation.The REST services will produce and consume JSON and the JSON serialization and de-serialization happens automatically behind the scenes

Create View class as :

public class View {

public static class Editable {}
public static class Viewable extends Editable {}
public static class Internal extends Viewable {}
}

Create Model class as :

@JsonIgnoreProperties(ignoreUnknown = true)
@XmlRootElement(name = "activateService")
public class ActivateService implements Serializable  {

@JsonView(View.Editable.class)
public String mWalletToken;
@JsonView(View.Editable.class)
public String topMerchantEMPID;
@JsonView(View.Editable.class)
public String serviceCategory;
  }

and the Rest -full web service method :

@POST
@Path("/TimRestService")
@Consumes({MediaType.APPLICATION_JSON})
@Produces({MediaType.APPLICATION_JSON})
public Response crunchifyREST(@JsonView(View.Editable.class) final ActivateService model, @Context HttpServletRequest request) {

In JAX-RS, if one model(either request or response) is annotated with @JsonView(View.Editable.class), in our case add method, Jackson will only serialize or deserialize fields that are annotated with @JsonView(View.Editable.class). In our case, client can only pass editableField, if client pass any other fields, server will just silently ignore them.

Use below dependencies in pom.xml

<!-- https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson- 
databind -->
    <dependency>
        <groupId>com.fasterxml.jackson.core</groupId>
        <artifactId>jackson-databind</artifactId>
        <version>2.9.5</version>
    </dependency>

    <!-- https://mvnrepository.com/artifact/com.sun.jersey/jersey-json -->
    <dependency>
        <groupId>com.sun.jersey</groupId>
        <artifactId>jersey-json</artifactId>
        <version>1.19.4</version>
    </dependency>

Source :- https://www.owasp.org/index.php/Mass_Assignment_Cheat_Sheet and http://lifelongprogrammer.blogspot.com/2015/09/using-jackson-view-to-protect-mass-assignment.html

Prerna shah
  • 321
  • 3
  • 20
1

it also works just by placing this in the pojo or model class

@JsonIgnoreProperties(ignoreUnknown=true)
public class ActivateService  {
    [...]
}

resource:

https://stackoverflow.com/a/39013609/8782229

Robinson Calderón
  • 81
  • 1
  • 1
  • 5
  • I tried this, but in fortify 19.20 the error still remains. My Simple VO has ONLY allowed fields so I've had to mark a false positive.... Update: i had a remote scan which merging into local re-introducing the missing code. @JsonIgnoreProperties(ignoreUnknown=true) worked once I pushed to github and remote scanned in Fortify. – ranma2913 Aug 21 '20 at 18:10