ASP.NET MVC UpdateModel 容易受到黑客攻击吗?
我有一个类似日历的 ASP.NET MVC 应用程序。根据 NerdDinner 示例,我使用 UpdateMethod() 更新编辑页面的结果。
在我的应用程序中,某些事件是完全可自定义的,而某些事件只能部分自定义。尽管用于编辑部分可自定义事件的编辑表单仅具有这些字段可用,但显然有人可以使用缺少的数据创建自己的表单并将其发布到我的网站。如果他们这样做,如何阻止某人更改任何/所有字段?更糟糕的是,如果他们尝试更改 id(主键)怎么办?
感觉 UpdateModel() 很容易受到非常基本的黑客攻击。我的恐惧是否合理,还是我遗漏了什么?
// POST: /MyEvents/Edit/2
[AcceptVerbs(HttpVerbs.Post), Authorize]
public ActionResult Edit(int id, FormCollection formValues)
{
MyEvent myevent = eventRepository.GetMyEvent(id);
try
{
UpdateModel(myevent);
eventRepository.Save();
return RedirectToAction("Details", new { id = myevent.MyEventId });
}
catch
{
ModelState.AddRuleViolations(myevent.GetRuleViolations());
return View(new MyEventFormViewModel(myevent));
}
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
您缺少“模型绑定安全性”部分。您应该始终包含可通过任何用户输入方法更新的属性白名单。
例如,从 NerdDinner:
或者如果您正在调用 UpdateModel,您可以创建一个允许属性的字符串数组,然后
您可以锁定类本身,以便只有某些属性也可以更新。
You're missing the section on "Model Binding Security". You should always include a whitelist of properties that can be updated by any of your user input methods.
For example, from NerdDinner:
or if you're calling UpdateModel, you can create a string array of allowed properties, and do
You can lock down the classes themselves so that only certain properties are updateable as well.
你的担心是对的。这称为批量分配。您可以通过使用 BindAttribute 标记您的类来保护您的代码a> 并设置排除 / < a href="http://msdn.microsoft.com/en-us/library/system.web.mvc.bindattribute.include.aspx" rel="noreferrer">包含 属性。
Your fears are right. This is called mass assignment. You can protect your code by marking your class with BindAttribute and setting Exclude / Include properties.
某些有进取心/恶意的人完全有可能将字段映射到模型上的任何属性。有几种方法可以解决这个问题,
最简单的是使用 UpdateModel 的排除/包含属性重载,如前所述。这样做的缺点是该方法仅接受字符串数组,这有时意味着如果您进行任何重命名,您的代码就会不同步。
另一种方法是使用一个简单的 DTO 来保存绑定字段,然后您可以使用 DTO 并对事件对象执行您想要的操作,这显然会添加另一个类,并且更加手动,但为您提供了更多控制
另一种方法可以通过 MyEvent 类的客户模型绑定器,该绑定器仅绑定您所需的字段,但可能有点过头了。
It's perfectly possible for someone enterprising / malicious to map the fields to any of the properties on your model. There are a few ways around this
The most simple is to use the exclude / include properties overloads of UpdateModel as has been mentioned before. The downside of this is that the method only accepts a string array which can sometimes mean your code gets out of sync if you do any renaming.
Another way is to use a simple DTO which holds the bound fields, you can then take the DTO and do what you want with your event object, this obviously adds another class and is much more manual but gives you a lot more control
Another way could be via a customer model binder for your MyEvent class which only binds your desired field, probably overkill though.
UpdateModel 的重载采用一组字符串命名属性来更新。这些重载只会更新指定的属性。
可能还有其他更简单/更具声明性的方法来完成此任务,我不是 MVC 数据绑定方面的专家。
There are overloads of UpdateModel that take an array of strings naming properties to update. These overloads will only update the named properties.
There may be other easier / more declarative ways to accomplish this, I'm not an expert on MVC data binding.
您可以标记模型上更新时应忽略的字段,或使用其他 UpdateModel 重载。
You can mark fields on your model that should be ignored by update or pass a list of included/excluded fields using one of the other UpdateModel overloads.