Detect if entity objects are being returned by controllers in Spring

[karanb192]

In Spring, developers often tend to return the entity object as response in controllers which may reveal sensitive information from the DB which wasn't really needed. Instead DTO (Data transfer object) should be returned.

[karanb192]

This is an example of vulnerable code.

        @GetMapping("/sample/api")
	public SampleEntityClass sampleMethod(Principal principal) {
                Query query = getEntityManager().createQuery("select c from SampleTable c");
                SampleEntityClass entityObject = query.getResultList().get(0);
                return entityObject;
	}

[karanb192]

I'd like to add a custom detector for this vulnerability.
@h3xstream Views?

[h3xstream]

Interesting idea to find information leakage, the same detector could look at parameter for update operation to find potential mass assignment.

@GetMapping("/sample/api")
public void update(SampleEntityClass updateEntity) {
  ...
}

[karanb192]

Will cover this as well. Entity objects shouldn't be accept as request parameters as well. Instead Request DTOs should be used.

[karanb192]

I'll start working on this.
@h3xstream please assign this issue to me.

[h3xstream]

@karanb192 Cool
The challenge I see is that with can't just use Inheritance API to check if the class inherit from a specific class. We need to look at all the subclasses for the annotation @entity .

• javax.persistence.Entity (JPA)
• javax.jdo.spi.PersistenceCapable (JDO)
• org.springframework.data.mongodb.core.mapping.Document (Document database)

[karanb192]

Hi @h3xstream
I've raised a PR. I check for all the subclasses for above 3 annotations recursively. Please have a look - https://github.com/find-sec-bugs/find-sec-bugs/pull/457

[h3xstream]

PR integrated

[karanb192]

Hi @h3xstream
I'd like to extend this check for collections of entity objects. What say?