secguide icon indicating copy to clipboard operation
secguide copied to clipboard

Published 20 hours ago verified publisher icon Tencent

#java# 规范 不安全的对象绑定 增补修订建议

Open k4n5ha0 opened this issue 3 years ago • 5 comments

对用户输入数据绑定到对象时如不做限制,可能造成攻击者恶意覆盖用户数据

脆弱代码:

@javax.persistence.Entity
class UserEntity {
	@Id
	@GeneratedValue(strategy = GenerationType.IDENTITY)
	private Long id;

	private String username;

	private String password;

	private Long role;
}
@Controller
class UserController {

	@PutMapping("/user/")
	@ResponseStatus(value = HttpStatus.OK)
	public void update(UserEntity user) {

	// 攻击者可以构造恶意user对象,将id字段构造为管理员id,将password字段构造为弱密码
	// 如果鉴权不完整,接口读取恶意user对象的id字段后会覆盖管理员的password字段成为弱密码
	userService.save(user); 
	}
}

解决方案:

  • setAllowedFields白名单
@Controller
class UserController {

	@InitBinder
	public void initBinder(WebDataBinder binder, WebRequest request){

		// 对允许绑定的字段设置白名单,阻止其他所有字段
		binder.setAllowedFields(["role"]); 
	}
}
  • setDisallowedFields黑名单
@Controller
class UserController {

	@InitBinder
	public void initBinder(WebDataBinder binder, WebRequest request){

		// 对不允许绑定的字段设置黑名单,允许其他所有字段
		binder.setDisallowedFields(["username","password"]); 
	}
}

k4n5ha0 avatar May 24 '21 17:05 k4n5ha0

熊猫师傅666

coffeehb avatar May 25 '21 06:05 coffeehb

师傅太强了,学习!

maniacs1 avatar May 29 '21 07:05 maniacs1

师傅强

Frank5337 avatar Feb 17 '23 09:02 Frank5337

您好,您的邮件我已收到。我会尽快给您回复。

goexc avatar Feb 17 '23 09:02 goexc

您好,我已收到您的来件。

honguangli avatar Feb 17 '23 09:02 honguangli