#java# 规范不安全的对象绑定增补修订建议 #20

k4n5ha0 · 2021-05-24T17:31:09Z

对用户输入数据绑定到对象时如不做限制，可能造成攻击者恶意覆盖用户数据

脆弱代码：

@javax.persistence.Entity
class UserEntity {
	@Id
	@GeneratedValue(strategy = GenerationType.IDENTITY)
	private Long id;

	private String username;

	private String password;

	private Long role;
}
@Controller
class UserController {

	@PutMapping("/user/")
	@ResponseStatus(value = HttpStatus.OK)
	public void update(UserEntity user) {

	// 攻击者可以构造恶意user对象，将id字段构造为管理员id，将password字段构造为弱密码
	// 如果鉴权不完整，接口读取恶意user对象的id字段后会覆盖管理员的password字段成为弱密码
	userService.save(user); 
	}
}

解决方案：

setAllowedFields白名单

@Controller
class UserController {

	@InitBinder
	public void initBinder(WebDataBinder binder, WebRequest request){

		// 对允许绑定的字段设置白名单，阻止其他所有字段
		binder.setAllowedFields(["role"]); 
	}
}

setDisallowedFields黑名单

@Controller
class UserController {

	@InitBinder
	public void initBinder(WebDataBinder binder, WebRequest request){

		// 对不允许绑定的字段设置黑名单，允许其他所有字段
		binder.setDisallowedFields(["username","password"]); 
	}
}

The text was updated successfully, but these errors were encountered:

coffeehb · 2021-05-25T06:11:52Z

熊猫师傅666

maniacs1 · 2021-05-29T07:10:24Z

师傅太强了,学习!

Frank5337 · 2023-02-17T09:54:37Z

师傅强

goexc · 2023-02-17T09:55:05Z

您好，您的邮件我已收到。我会尽快给您回复。

honguangli · 2023-02-17T09:55:11Z

您好，我已收到您的来件。

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

#java# 规范不安全的对象绑定增补修订建议 #20

#java# 规范不安全的对象绑定增补修订建议 #20

k4n5ha0 commented May 24, 2021

coffeehb commented May 25, 2021

maniacs1 commented May 29, 2021

Frank5337 commented Feb 17, 2023

goexc commented Feb 17, 2023 via email

honguangli commented Feb 17, 2023 via email

#java# 规范 不安全的对象绑定 增补修订建议 #20

#java# 规范 不安全的对象绑定 增补修订建议 #20

Comments

k4n5ha0 commented May 24, 2021

coffeehb commented May 25, 2021

maniacs1 commented May 29, 2021

Frank5337 commented Feb 17, 2023

goexc commented Feb 17, 2023 via email

honguangli commented Feb 17, 2023 via email

#java# 规范不安全的对象绑定增补修订建议 #20

#java# 规范不安全的对象绑定增补修订建议 #20