Re: [Stripes-users] Security Concerns Binding Into Domain Model

Thu, 25 Mar 2010 11:31:58 -0700 

Yes, this is what the @StrictBinding annotation is for, have a look at that.

Problem solved =)

From: Caine Lai [mailto:caine...@gmail.com]
Sent: Thursday, March 25, 2010 2:14 PM
To: Stripes Users List
Subject: [Stripes-users] Security Concerns Binding Into Domain Model

I've been using Stripes for a couple of years now and love it.  However, I have 
recently been thinking about some security problems with binding directly into 
a domain model in action beans.  The problem is that Stripes will bind to 
properties even if there is no @Validate annotation on a field.

Imagine the following domain object, simplified for demonstration purposes:

public class User {

     private String role, email;

     public void setRole(String role) { this.role = role; }

     public String getRole() { return this.role }

     public void setEmail(String email) { this.email= email; }

     public String getEmail() { return this.email }
}

Now in my action bean, I use a user object for an update form and define some 
validators to it:

@ValidateNestedProperties({
        @Validate(field = "email", required = true, maxlength = 
ModelConstants.EMAIL_MAX_LENGTH, converter=EmailTypeConverter.class),
})
private User user;

public Resolution update() {
     user.merge();
}

Now if I am a regular user with the "USER" role, I can request the following 
url:  
http://www.someserver.com/context/action_mapping/update?user.email=someem...@somedomain.com&role=ADMIN

Now even though I do not specify a validator on the role field, Stripes will 
still bind to that field and the user has just elevated their privileges to 
ADMIN.  Again, simplified example but this could pose all kinds of security 
holes and problems in an application.

Is there a reason Stripes binds to properties even when there is no validator 
or type converter defined on the property?


------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Stripes-users mailing list
Stripes-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/stripes-users

Reply via email to