use DTO JavaEE design pattern to access webapp objects with API

oracle / opengrok

OpenGrok is a fast and usable source code search and cross reference engine, written in Java

http://oracle.github.io/opengrok/

Other

4.33k stars 746 forks source link

use DTO JavaEE design pattern to access webapp objects with API #2917

Open QiAnXinCodeSafe opened 4 years ago

QiAnXinCodeSafe commented 4 years ago

opengrok-master/opengrok-web/src/main/java/org/opengrok/web/api/v1/controller/ProjectsController.java

opengrok-master/opengrok-indexer/src/main/java/org/opengrok/indexer/util/ClassUtil.java

The method writes unvalidated input into JSON. This call could allow an attacker to inject arbitrary elements or attributes into the JSON entity.

vladak commented 4 years ago

Could you expand on why this is a problem ? The value in ProjectsController can be indeed arbitrary (although currently this administrative interface is protected by localhost filter) however there has to be a setter for the field and Jackson has to be able to form an object from the string value. So, the validation happens when JSON is converted to Java object.

vladak commented 4 years ago

As suggested in https://github.com/oracle/opengrok/pull/2962#discussion_r336719935 the DTO design pattern should be used to access data via API. This should help to get rid of any "JSON injection".