Login/Register
How to fix Mass Assignment: Insecure Binder Configuration (API Abuse, Structural) in java
Asked Answered
Solved javaspringspring-mvcfortifymass-assignment
O

4

7

I have a Controller class with the below two methods for finding a doctors (context changed). Getting the Mass Assignment: Insecure Binder Configuration (API Abuse, Structural) error on both methods. 

@Controller
@RequestMapping(value = "/findDocSearch")
public class Controller {

    @Autowired
    private IFindDocService findDocService;

    @RequestMapping(value = "/byName", method = RequestMethod.GET)
    @ResponseBody
    public List<FindDocDTO> findDocByName(FindDocBean bean) {
        return findDocService.retrieveDocByName(bean.getName());
    }

    @RequestMapping(value = "/byLoc", method = RequestMethod.GET)
    @ResponseBody
    public List<FindDocDTO> findDocByLocation(FindDocBean bean) {
        return findDocService.retrieveDocByZipCode(bean.getZipcode(),
        bean.getDistance());
    }
}

and my Bean is :

public class FindDocBean implements Serializable {
    private static final long serialVersionUID = -1212xxxL;

    private String name;
    private String zipcode;
    private int distance;

    @Override
    public String toString() {
        return String.format("FindDocBean[name: %s, zipcode:%s, distance:%s]",
                name, zipcode, distance);
    }

    public String getName() {
        return name;
    }

    public void setName(String name) {
        this.name = name;
    }

    public String getZipcode() {
        return zipcode;
    }

    public void setZipcode(String zipcode) {
        this.zipcode = zipcode;
    }

    public int getDistance() {
        return distance;
    }

    public void setDistance(int distance) {
        this.distance = distance;
    }

As per all the suggestions found so far, they are suggesting to restrict the bean with required parameters only by something like below :

final String[] DISALLOWED_FIELDS = new String[]{"bean.name", "bean.zipcode", };

@InitBinder
public void initBinder(WebDataBinder binder) {
    binder.setDisallowedFields(DISALLOWED_FIELDS);

But my problem is all the 3 parameters of the bean will be used in either of the method supplied on Controller.

Can someone please suggest some solution for this. Thanks in advance.

Outnumber answered 22/12, 2017 at 17:43 Comment(1)
Why do you use a bean? You could just bind to a String in every method (since you only use the string anyway) E.g. findByDocName(String name)Penn
K
5

InitBinder can be used for methods. You can try this.

@InitBinder("findDocByName")
public void initBinderByName(WebDataBinder binder) {
    binder.setDisallowedFields(new String[]{"distance","zipcode"});
}


@InitBinder("findDocByLocation")
public void initBinderByZipCode(WebDataBinder binder) {
    binder.setDisallowedFields(new String[]{"distance","name"});
}
Kame answered 2/1, 2018 at 16:17 Comment(3)
According to the spring docs The value in @InitBinder is the names of command/form attributes and/or request parameters that this init-binder method is supposed to apply to. How you are applying method name. this is not working for me .Agitate
I have used same implementation in my rest controller, but still facing same issue in spring boot project. @Mehmet Sunkur Not through in scan.Saimon
This solution might be allow for spring mvc not rest api.Can you reply for rest api ?Inveteracy
B
4

i was facing same issue, then i added below code in same rest controller class:

@InitBinder
public void populateCustomerRequest(WebDataBinder binder) {
    binder.setDisallowedFields(new String[]{});
}

now its working fine for me and mass assignment issue was fixed.

Beeman answered 5/2, 2018 at 14:55 Comment(2)
Defining disallowed fields to null may avoid fortify to complaining about it. But the attacker can still guess and use the sensitive fields. Black listing and white listing is a tedious task for Big application..so looking for other solutions.Agitate
@ShibinaEC Are there any solutions for insecure binder vulnerability in spring rest api?Inveteracy
G
0

Simple question - how your mapper can instantionate the bean? Here is answer / example. You can pass that data by query parameter, or in header. However that would be strange. Better is to have that methods with @QueryParam providing location, or name. That way it will be easier to protect your application.

As a side note, query has limited length, so if your search form is big and strange, @POST can be good idea, and that way you can pass all the data. For this, simple example that would be overkill.

Gunstock answered 27/12, 2017 at 21:32 Comment(0)
C
0

This looks like an unfortunate false positive. The rule behind this error is made to avoid that properties present in an object but not intended to be (unvalidated) user input are accidentally populated from a web request. An example would be a POST request creating a resource. If the request handler takes the full resource object and fills only missing properties an malicious user could populate fields that she shouldn't be able to edit.

This case however does not match the scheme. You just use the same mechanism to capture your different arguments. Additionally populated properties will not even be read. In

GET http://yourhost/findDocSearch/byName?name=Abuse&zipCode=11111

the additional zipCode would just be ignored. Therefore the assumed risk is not present here.

To fix the warning, you could mark it as a false positive (if this is possible inside your setup). If that is not possible you could also just map the query parameters to method arguments directly. As you only have limited parameters that should not harm too much. If this is also no option you probably need to figure out the exact algorithm your code analysis uses to figure out what checks it will recognize. Unfortunately most scanners are only able to discover a limited set of ways to do input validation.

Choker answered 2/1, 2018 at 9:31 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.