Closed akondasif closed 4 years ago
Yes, that makes sense. Thanks for the feedback!
@ewolff
Our pleasure. As future work, we are planning to automatically repair these instances so that it is less work for for developers ... any feedback on how we can do that?
Well, that is great because it would save some time. 🙂
I assume in my case most often the methods should only be accessible through GET. So adding method = RequestMethod.GET
should be enough if there is not method=...
present. I have some tests so I assume an error would lead to failed tests.
I am looking forward to your tool! You can also use the other repositories called microservices-*
. They should have similar issues.
The test I added above shows that a POST to a method annotated with @RequestMapping
without a method
parameter causes an HTTP status code of 405 - Method not allowed. So @RequestMapping
without a method
behaves identical to @RequestMapping
with method = RequestMethod.GET
. So I think the OWASP recommendation you refer to is wrong. Of course this is a bold statement but that is what the test says. It also explains why I use method = RequestMethod.POST
but never method = RequestMethod.GET
. Feel free to reopen if you find different behavior.
@ewolff
Thanks for the valuable feedback ... we will run the tool against microservices-*
as you suggested
Actually you are right. Without method
POST and GET are both executed.
Greetings,
We are researchers and we are have identified insecure coding patterns and configurations in the microservice architecture repositories. In your repository, we have found instances of
@RequestMapping" methods without POST or GET
. According to the Common Weakness Enumeration and JAVA OWASP, this is a security weakness and needs to be avoided.We request for a fix for this issue. Looking forward for your feedback.
Source:
https://github.com/ewolff/microservice/blob/fd8fd5ef6afaa5be4b5f81e8972474917002d727/microservice-demo/microservice-demo-catalog/src/main/java/com/ewolff/microservice/catalog/web/CatalogController.java#L25