Fix request: Request without GET or POST
akondasif opened this issue · comments
Greetings,
We are researchers and we are have identified insecure coding patterns and configurations in the microservice architecture repositories. In your repository, we have found instances of @RequestMapping" methods without POST or GET . According to the Common Weakness Enumeration and JAVA OWASP, this is a security weakness and needs to be avoided.
We request for a fix for this issue. Looking forward for your feedback.
Source:
Yes, that makes sense. Thanks for the feedback!
Our pleasure. As future work, we are planning to automatically repair these instances so that it is less work for for developers ... any feedback on how we can do that?
Well, that is great because it would save some time. 🙂
I assume in my case most often the methods should only be accessible through GET. So adding method = RequestMethod.GET should be enough if there is not method=... present. I have some tests so I assume an error would lead to failed tests.
I am looking forward to your tool! You can also use the other repositories called microservices-* . They should have similar issues.
The test I added above shows that a POST to a method annotated with @RequestMapping without a method parameter causes an HTTP status code of 405 - Method not allowed. So @RequestMapping without a method behaves identical to @RequestMapping with method = RequestMethod.GET. So I think the OWASP recommendation you refer to is wrong. Of course this is a bold statement but that is what the test says. It also explains why I use method = RequestMethod.POST but never method = RequestMethod.GET. Feel free to reopen if you find different behavior.
Thanks for the valuable feedback ... we will run the tool against microservices-* as you suggested
Actually you are right. Without method POST and GET are both executed.