I've been using Stripes for a couple of years now and love it. However, I
have recently been thinking about some security problems with binding
directly into a domain model in action beans. The problem is that Stripes
will bind to properties even if there is no @Validate annotation on a field.
Imagine the following domain object, simplified for demonstration purposes:
public class User {
private String role, email;
public void setRole(String role) { this.role = role; }
public String getRole() { return this.role }
public void setEmail(String email) { this.email= email; }
public String getEmail() { return this.email }
}
Now in my action bean, I use a user object for an update form and define
some validators to it:
@ValidateNestedProperties({
@Validate(field = "email", required = true, maxlength =
ModelConstants.EMAIL_MAX_LENGTH, converter=EmailTypeConverter.class),
})
private User user;
public Resolution update() {
user.merge();
}
Now if I am a regular user with the "USER" role, I can request the following
url:
http://www.someserver.com/context/action_mapping/update?user.email=someem...@somedomain.com&role=ADMIN
Now even though I do not specify a validator on the role field, Stripes will
still bind to that field and the user has just elevated their privileges to
ADMIN. Again, simplified example but this could pose all kinds of security
holes and problems in an application.
Is there a reason Stripes binds to properties even when there is no
validator or type converter defined on the property?
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Stripes-users mailing list
Stripes-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/stripes-users
