Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-4684

Persistent entities should not be used as arguments of "@RequestMapping" methods

    Details

    • Type: Vulnerability Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Replace this persistent entity with a simple POJO or DTO object.
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Covered Languages:
      Java
    • Irrelevant for Languages:
      ABAP, APEX, C#, C, C++, Cobol, CSS, Flex, Go, HTML, JavaScript, Kotlin, Objective-C, PHP, PL/I, PL/SQL, Python, RPG, Ruby, Rust, Scala, Solidity, Swift, T-SQL, TypeScript, VB.Net, VB6, XML
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      10min
    • Analysis Level:
      Semantic Analysis
    • Analysis Scope:
      Main Sources
    • CWE:
      CWE-915
    • OWASP:
      A5
    • Fortify:
      mass_assignment_request_parameters_bound_into_persisted_objects

      Description

      On one side, Spring MVC automatically bind request parameters to beans declared as arguments of methods annotated with @RequestMapping. Because of this automatic binding feature, it's possible to feed some unexpected fields on the arguments of the @RequestMapping annotated methods.
      On the other end, persistent objects (@Entity or @Document) are linked to the underlying database and updated automatically by a persistence framework, such as Hibernate, JPA or Spring Data MongoDB.

      These two facts combined together can lead to malicious attack: if a persistent object is used as an argument of a method annotated with @RequestMapping, it's possible from a specially crafted user input, to change the content of unexpected fields into the database.

      For this reason, using @Entity or @Document objects as arguments of methods annotated with @RequestMapping should be avoided.

      In addition to @RequestMapping, this rule also considers the annotations introduced in Spring Framework 4.3: @GetMapping, @PostMapping, @PutMapping, @DeleteMapping, @PatchMapping.

      Noncompliant Code Example

      import javax.persistence.Entity;
      
      @Entity
      public class Wish {
        Long productId;
        Long quantity;
        Client client;
      }
      
      @Entity
      public class Client {
        String clientId;
        String name;
        String password;
      }
      
      import org.springframework.stereotype.Controller;
      import org.springframework.web.bind.annotation.RequestMapping;
      
      @Controller
      public class WishListController {
      
        @PostMapping(path = "/saveForLater")
        public String saveForLater(Wish wish) {
          session.save(wish);
        }
      
        @RequestMapping(path = "/saveForLater", method = RequestMethod.POST)
        public String saveForLater(Wish wish) {
          session.save(wish);
        }
      }
      

      Compliant Solution

      public class WishDTO {
        Long productId;
        Long quantity;
        Long clientId;
      }
      
      import org.springframework.stereotype.Controller;
      import org.springframework.web.bind.annotation.RequestMapping;
      
      @Controller
      public class PurchaseOrderController {
      
        @PostMapping(path = "/saveForLater")
        public String saveForLater(WishDTO wish) {
          Wish persistentWish = new Wish();   
          // do the mapping between "wish" and "persistentWish"
          [...]
          session.save(persistentWish);
        }
      
        @RequestMapping(path = "/saveForLater", method = RequestMethod.POST)
        public String saveForLater(WishDTO wish) {
          Wish persistentWish = new Wish();   
          // do the mapping between "wish" and "persistentWish"
          [...]
          session.save(persistentWish);
        }
      }
      

      See

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                alexandre.gigleux Alexandre Gigleux
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: