I have read the following article on Mass assignment https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html
but still have some unknown, e.g.
public class User {
private String userid;
private String password;
private String email;
//private boolean isAdmin; // NO this property (isAdmin) in User class
//Getters & Setters
}
Here is the controller handling the request:
@RequestMapping(value = "/addUser", method = RequestMethod.POST)
public String submit(User user) {
userService.add(user);
return "successPage";
}
here is the request with more parameter than class User has (isAdmin=true)
POST /addUser
...
userid=bobbytables&password=hashedpass&[email protected]&isAdmin=true
As the class User has NO isAdmin property,
- is the class User still has Mass Assignment security problem for this request?
- should we throws exception if request parameter is more than the expected binding input parameter class?
- related to question 2, if we ignore the extra parameter and returns response 200 (ok), is this right? As in a security check, our program is complained by return 200 for similar case.
As I see the article, the solution has NOT said to throws error or exception for this case.