Home > Blockchain >  Mass Assignment: Insecure Binder Configuration with Fortify Java 1.8 EJB
Mass Assignment: Insecure Binder Configuration with Fortify Java 1.8 EJB

Time:07-01

I am trying to solve some vulnerabilities issues, and I have one that I couldn't solve it, I tried to add @Valid annotation in sync method but same error, this is the description from fortify:

The framework binder used for binding the HTTP request parameters to the model class has not been explicitly configured to allow, or disallow certain attributes.

To ease development and increase productivity, most modern frameworks allow an object to be automatically instantiated and populated with the HTTP request parameters whose names match an attribute of the class to be bound. Automatic instantiation and population of objects speeds up development, but can lead to serious problems if implemented without caution. Any attribute in the bound classes, or nested classes, will be automatically bound to the HTTP request parameters. Therefore, malicious users will be able to assign a value to any attribute in bound or nested classes, even if they are not exposed to the client through web forms or API contracts.

The error I am getting in this line:

public ResponseClass sync(@BeanParam MyClassRequest request) throws Exception {

MyClassResource.java

@Api(tags = "Relay")
@Stateless
public class MyClassResource extends AbstractService<MyClassRequest, ResponseClass> {
 
    @EJB
    private MyClassService myClassService;

    @POST
    @Path("/api/v1/service")
    @Produces({"application/json"})
    @ApiOperation(value = "Processes Conn",
            response = ResponseClass.class, responseContainer = "ResponseClass", hidden = true)
    @Override
    public ResponseClass sync(@BeanParam MyClassRequest request) throws Exception {
        myClassService.processFeed(request);
        return new RelayResponse(HttpStatuses.ACCEPTED.getStatus());
    }

MyClassRequest.java

In this file I have tried @FormParam("ccc") but same

public class MyClassRequest extends RelayRequest {

    public MyClassRequest() {
        super.setMessageType("not required");
    }

    private String myData;
    private String conneRid;
    private String connectionCreatedDate;

If someone could give some hint that how I can solve it, I will really appreciate it.

CodePudding user response:

Do you expect all fields to be present in request? You are using @Valid annotation but there are no validation annotations in MyClassRequest model. Try to add some validation annotations like @JsonIgnore for non mandatory fields. Or @JsonInclude on class. If this does not help, may be also try explicitly adding @JsonProperty on each field.

  • Related