Bryan,
This is good advice. However, I thought the
beans are populated off of the request outside of the control of my Action class
derivation. Therefore, copyProperties() doesn't pertain.
- jeff
----- Original Message -----
Sent: Monday, May 07, 2001 1:14 PM
Subject: Re: Potential Security Flaw in
Struts MVC
There is a security risk here as you describe, if (and only if)
you are using a generic introspection-based function (like Struts'
PropertyUtils.copyBean) to copy the values from the UserForm object to the
User object. There are several ways to avoid this --
1. Don't put an
admin flag "setter" method in your User class. 2. In UserAction, don't use
the generic bean copy utility -- instead, manually copy the values, excluding
the admin flag. 3. As a smarter alternative to #2, don't use a generic bean
copy utility -- instead, write an intelligent copy function in the User class,
which "knows" that it's copying FROM a UserForm, TO a User, and therefore,
skip the copying of the Admin flag.
Bryan
Jeff Trent
wrote:
002501c0d70b$9df009a0$6401a8c0@PROVIDENCE"
type="cite">
I may be wrong about this (only been working w/
Struts for a week now). But I do see a potential security flaw in
struts that I would like to hear from others regarding.
Consider a simple set of struts classes that
represent a user in a system. You would probably have classes that look
something like this:
User
(the model
representing the user)
UserForm
(an enrollment form for a new user)
UserAction
(Saves the UserForm information to db, etc)
The User class would have accessors and
modifiers like getFirstName(), setFirstName(), getAdministrativeUserFlag(),
setAdministrativeUserFlag(), etc. The basic implementation of the
UserForm is to take the UI form data, introspect the beans, and call the
correct modifier of the UserForm bean based on the fields contained within
the UI submission/form. A developer of course would not expose the
"Administrative User Flag" option on the UI for enrollment (that would be
found possibly in some other administrative-level module). However, if
someone is familiar with the db schema and the naming convention the
developer used, that user could subvert the application by writing his own
version of the UI which contains an "Administrative User Flag" field (or any
other field for that matter) and the basic form processing in Struts will
kindly honor the request and set the "Administrative Flag" on the
user. Unless, of course, the developer makes special provisions to
prevent this behavior. However, its not entirely obvious to the struts
user (in my opinion) that this is even a concern. Am I making sense
here?
- jeff
|