Is form attibute binding vulnerable to A8:2017-Insecure Deserialization
I was testing Spring boot form submission for my internal project when I came across -
OWASP TOP 10 A8:2017-Insecure Deserialization
As per my current project,
I am binding the form parameter and getting a SearchPOJO at my controller
using #RequestBody
I have the following doubts:-
Is it safe to pass the parameters as Spring may create the POJO, serialize it and then send it over to network, hence I am vulnerable to A8:2017-Insecure Deserialization?
Does Spring boot perform the same process in any different way?
If there is a vulnerability, then will sending form data using #RequestParam/#PathVariable shall solve the issue?
As of now we are using Thymleaf in Frontend We are also planing to
switch to React Frontend in the coming months.
OWASP TOP 10 A8.2017
I would be highly obliged if someone can clear my doubts.
Related
So I Want to build projects using spring Boot directly as I'm under a bit of time crunch. Please help me out.
What you need to know about JSP: nothing. JSP is old and clunky, use Thymeleaf instead. But if you're building single page web apps you don't need any templates, you just need to know how to accept and return JSON.
Servlets: you need to understand the threading model, that there's only one servlet being traversed by multiple threads, and any instance variables will be accessed by all the http request threads. More than servlets you need to know filters, because Spring Security uses them.
I have 2 spring boot micro-services core and web:
The core service reacts to some event (EmployeeCreatedEvent) which is triggered by web.
The core service is using jackson serializer to serialize commands, queries, events and messages whereas the web service is using xstream serializer.
i am getting below error in core while handling EmployeeCreatedEvent triggered by web:
Caused by: com.fasterxml.jackson.core.JsonParseException: Unexpected character (’<’ (code 60)):
expected a valid value (JSON String, Number, Array, Object or token ‘null’, ‘true’ or ‘false’)
i am using below properties (jackson for core and default for web):
axon.serializer.general = jackson/default
axon.serializer.events = jackson/default
axon.serializer.messages = jackson/default
can someone suggest whether it is ok to use different serializer for same event in different services.
I agree with #Augusto here and you should make a decision about which serialization format you are going to use across all your services.
I am assuming you started with the default serializer (which is XStream and XML) and later on decided to move to Jackson (which is JSON).
In that case, there are 2 advices I can share with you:
You can write a Custom Serializer which have both implementations and try with both of them and see which one works, for example trying with XML and fallbacking to JSON.
Or you can have a Component which will listen to all Events from your EventStore, deserialize them using XStream and write them back to another EventStore using Jackson. In this case, for this migration period, you will have this component using 2 Event Streams (one for each EventStore) but after the migration is done your whole EventStore will be in JSON. This requires some work but is the best approach in my opinion and will save you a lot of time and pain in the future.
You can look more about configuring 2 sources here.
Is there a way to generate spring rest crontroller for a business flow.
I want to generate CRUD services for given database object.For example, "employee_mst" , generate CRUD services code automatically.This is similar to what we used to have in hibernate or what we have in loopback.io for node. Appreciate any help around it.
I found a link that may answer your question: https://docs.spring.io/spring-data/rest/docs/current/reference/html/.
This text explains that Spring Data REST generates REST interfaces from Spring Data repositories.
I intend to try this but did not do so yet.
EDIT: I saw in my example application that Spring Data REST did what I expected. I could request all entities in my Spring Data repository using a HTTP request. The returned JSON contained also discovery information. You may prefer writing your own controller to have more control on what information is returned.
I have few spring controllers all of these controller modelAttribtes are extended some commonForm(BaseForm). All common properties were in BaseForm and specific properties are in sub classes which acts as ModelAttributes for controllers.
Based on special condition I have scenarios to forward to another controller but while this forward is happening the request contains old data as well and giving double values to the parameters and failing the forwarded request.
Actually this code is copied from struts based project as part of migrating to spring MVC.
Please help me on this.
Thanks,
Syamala.
I am currently studying Spring.
While reading a Spring book, I met a part regarding Event.
By using context.publishEvent(..), I could trigger the event.
But I don't know what It's exactly for.
I can use other Method instead of using complicated publishEvent.
Please, tell me. thank you.
Spring Events are used to implement publish-subscribe model (or observer pattern) where two not-related parts of code must be somehow connected.
Think of the analogy of web applications where servlet container creates http sessions and your code is informed about this using javax.servlet.http.HttpSessionListener.
Spring uses this mechanism internally. It's much more visible in Spring Security where several parts of the code are informed about e.g., successfull authentication.