'Unsafe object binding checkmarx spring boot application
I'm getting this alert from checkmarx, saying that i have an unsafe object binding when trying to save a comment. I've read that we mustn't save objects directly from the requestBody as it can be dangerous, that's why i'm getting a commentDTO from the client, create a new comment from the dto using modelMapper, and create the comment in the commentService and save it to the database, but checkmarx keeps pointing to the same issue.
this is my contoller:
@PostMapping("/add")
public ResponseEntity<Comment> createFaq(@RequestBody CommentDTO commentDTO) {
try {
Comment comment = new Comment();
modelMapper.getConfiguration()
.setMatchingStrategy(MatchingStrategies.LOOSE);
modelMapper.getConfiguration().setAmbiguityIgnored(true);
comment = modelMapper.map(commentDTO, Comment.class);
commentservice.create(comment);
return new ResponseEntity<>( HttpStatus.CREATED);
} catch (Exception e) {
System.out.println("unable to create comment with msg "+e.getMessage());
return new ResponseEntity<>(null, HttpStatus.INTERNAL_SERVER_ERROR);
}
}
this is my dto :
@Data
public class CommentDTO {
private Long id_comment;
private String contenue;
private Employe employe;
private Faq faq;
private Notifications notif;
private LocalDateTime dateOfComment = LocalDateTime.now();
}
Solution 1:[1]
When using the default deserializer to deserialize the request.body into CommentDTO, the content can describe a custom class (extending CommentDTO) that when instantiated - may perform any action (sometimes even remote-code-execution). Implementing a mapper for the request body should circumvent the problem.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | S Shahar |