user1169587
Reputation: 1340
is this example of mass assignment and should we throws exception for this?
I have read the following article on Mass assignment https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html
but still have some unknown, e.g.
public class User {
private String userid;
private String password;
private String email;
//private boolean isAdmin; // NO this property (isAdmin) in User class
//Getters & Setters
}
Here is the controller handling the request:
@RequestMapping(value = "/addUser", method = RequestMethod.POST)
public String submit(User user) {
userService.add(user);
return "successPage";
}
here is the request with more parameter than class User has (isAdmin=true)
POST /addUser
...
userid=bobbytables&password=hashedpass&[email protected]&isAdmin=true
As the class User has NO isAdmin property,
- is the class User still has Mass Assignment security problem for this request?
- should we throws exception if request parameter is more than the expected binding input parameter class?
- related to question 2, if we ignore the extra parameter and returns response 200 (ok), is this right? As in a security check, our program is complained by return 200 for similar case.
As I see the article, the solution has NOT said to throws error or exception for this case.
Upvotes: 0
Views: 76
Answers (0)
Related Questions
- What are assertions in Java and when should they be used?
- Mockito test a void method throws an exception
- Why do this() and super() have to be the first statement in a constructor?
- What is a serialVersionUID and why should I use it?
- Java 8 Lambda function that throws exception?
- When and how should I use a ThreadLocal variable?
- What does "Mass Assignment" mean in Laravel?
- When should I use File.separator and when File.pathSeparator?
- What issues should be considered when overriding equals and hashCode in Java?