search

ewolff / microservice

Sample of a Microservice setup for my book. Based on Spring Cloud / Netflix / Java / Docker / Docker Compose / Docker Machine / Vagrant
Apache License 2.0
725 stars 352 forks source link

Fix request: Request without GET or POST #28

Closed akondasif closed 4 years ago

akondasif commented 4 years ago

Greetings,

We are researchers and we are have identified insecure coding patterns and configurations in the microservice architecture repositories. In your repository, we have found instances of @RequestMapping" methods without POST or GET . According to the Common Weakness Enumeration and JAVA OWASP, this is a security weakness and needs to be avoided.

We request for a fix for this issue. Looking forward for your feedback.

Source:

https://github.com/ewolff/microservice/blob/fd8fd5ef6afaa5be4b5f81e8972474917002d727/microservice-demo/microservice-demo-catalog/src/main/java/com/ewolff/microservice/catalog/web/CatalogController.java#L25

ewolff commented 4 years ago

Yes, that makes sense. Thanks for the feedback!

akondasif commented 4 years ago

@ewolff

Our pleasure. As future work, we are planning to automatically repair these instances so that it is less work for for developers ... any feedback on how we can do that?

ewolff commented 4 years ago

Well, that is great because it would save some time. 🙂

I assume in my case most often the methods should only be accessible through GET. So adding method = RequestMethod.GET should be enough if there is not method=... present. I have some tests so I assume an error would lead to failed tests.

I am looking forward to your tool! You can also use the other repositories called microservices-* . They should have similar issues.

ewolff commented 4 years ago

The test I added above shows that a POST to a method annotated with @RequestMapping without a method parameter causes an HTTP status code of 405 - Method not allowed. So @RequestMapping without a method behaves identical to @RequestMapping with method = RequestMethod.GET. So I think the OWASP recommendation you refer to is wrong. Of course this is a bold statement but that is what the test says. It also explains why I use method = RequestMethod.POST but never method = RequestMethod.GET. Feel free to reopen if you find different behavior.

akondasif commented 4 years ago

@ewolff

Thanks for the valuable feedback ... we will run the tool against microservices-* as you suggested

ewolff commented 4 years ago

Actually you are right. Without method POST and GET are both executed.