New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Detect if entity objects are being returned by controllers in Spring #454
Comments
This is an example of vulnerable code.
|
I'd like to add a custom detector for this vulnerability. |
Interesting idea to find information leakage, the same detector could look at parameter for update operation to find potential mass assignment. @GetMapping("/sample/api")
public void update(SampleEntityClass updateEntity) {
...
} |
Will cover this as well. Entity objects shouldn't be accept as request parameters as well. Instead Request DTOs should be used. |
I'll start working on this. |
@karanb192 Cool
|
Hi @h3xstream |
PR integrated |
Hi @h3xstream |
In Spring, developers often tend to return the entity object as response in controllers which may reveal sensitive information from the DB which wasn't really needed. Instead DTO (Data transfer object) should be returned.
The text was updated successfully, but these errors were encountered: