不安全的对象绑定 checkmarx spring boot 应用程序
我从 checkmarx 收到此警报,说我在尝试保存评论时有一个不安全的对象绑定。 我读到我们不能直接从 requestBody 保存对象,因为这可能很危险,这就是为什么我从客户端获取 commentDTO,使用 modelMapper 从 dto 创建新评论,并在 commentService 中创建评论并将其保存到数据库中,但 checkmarx 一直指出同样的问题。
这是我的控制器:
@PostMapping("/add")
public ResponseEntity<Comment> createFaq(@RequestBody CommentDTO commentDTO) {
try {
Comment comment = new Comment();
modelMapper.getConfiguration()
.setMatchingStrategy(MatchingStrategies.LOOSE);
modelMapper.getConfiguration().setAmbiguityIgnored(true);
comment = modelMapper.map(commentDTO, Comment.class);
commentservice.create(comment);
return new ResponseEntity<>( HttpStatus.CREATED);
} catch (Exception e) {
System.out.println("unable to create comment with msg "+e.getMessage());
return new ResponseEntity<>(null, HttpStatus.INTERNAL_SERVER_ERROR);
}
}
这是我的 dto:
@Data
public class CommentDTO {
private Long id_comment;
private String contenue;
private Employe employe;
private Faq faq;
private Notifications notif;
private LocalDateTime dateOfComment = LocalDateTime.now();
}
I'm getting this alert from checkmarx, saying that i have an unsafe object binding when trying to save a comment.
I've read that we mustn't save objects directly from the requestBody as it can be dangerous, that's why i'm getting a commentDTO from the client, create a new comment from the dto using modelMapper, and create the comment in the commentService and save it to the database, but checkmarx keeps pointing to the same issue.
this is my contoller:
@PostMapping("/add")
public ResponseEntity<Comment> createFaq(@RequestBody CommentDTO commentDTO) {
try {
Comment comment = new Comment();
modelMapper.getConfiguration()
.setMatchingStrategy(MatchingStrategies.LOOSE);
modelMapper.getConfiguration().setAmbiguityIgnored(true);
comment = modelMapper.map(commentDTO, Comment.class);
commentservice.create(comment);
return new ResponseEntity<>( HttpStatus.CREATED);
} catch (Exception e) {
System.out.println("unable to create comment with msg "+e.getMessage());
return new ResponseEntity<>(null, HttpStatus.INTERNAL_SERVER_ERROR);
}
}
this is my dto :
@Data
public class CommentDTO {
private Long id_comment;
private String contenue;
private Employe employe;
private Faq faq;
private Notifications notif;
private LocalDateTime dateOfComment = LocalDateTime.now();
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
当使用默认反序列化器将 request.body 反序列化为 CommentDTO 时,内容可以描述自定义类(扩展 CommentDTO),该类在实例化时可以执行任何操作(有时甚至是远程代码执行)。
为请求正文实现映射器应该可以避免该问题。
When using the default deserializer to deserialize the request.body into CommentDTO, the content can describe a custom class (extending CommentDTO) that when instantiated - may perform any action (sometimes even remote-code-execution).
Implementing a mapper for the request body should circumvent the problem.