Mass Assignment: Request Parameters Bound into Persisted Objects

Sep 12, 2022

Mass Assignment: Request Parameters Bound into Persisted Objects

Explanation

Persistent objects are bound to the underlying database and updated automatically by the persistence framework, such as Hibernate or JPA. Allowing these objects to be dynamically bound to the request by Spring MVC will let an attacker to inject unexpected values into the database by providing additional request parameters.

SOLUTION

We should never use persistent bean(Hibernate entity) as it is in request directly. We should wrap it in a request wrapper class

More Fortify Solutions :

Fortify Issues -Code Correctness: Constructor Invokes Overridable Function

public class TestEvent{

matam-kirankumar.medium.com

Fortify Issues -Poor Style: Confusing Naming

Code contains a field and a method both named value, which is confusing.

matam-kirankumar.medium.com

Fortify issue — Dead Code unused

Abstract: The field X is never used.

matam-kirankumar.medium.com