Laravel 4 Mass Assignment Update Java

Last revision (mm/dd/yy): 12/21/2016

Introduction

Definition

Software frameworks sometime allow developers to automatically bind HTTP request parameters into program code variables or objects to make using that framework easier on developers. This can sometimes cause harm. Attackers can sometimes use this methodology to create new parameters that the developer never intended which in turn creates or overwrites new variable or objects in program code that was not intended. This is called a mass assignment vulnerability.

Alternative Names

Depending on the language/framework in question, this vulnerability can have several alternative names

  • Mass Assignment: Ruby on Rails, NodeJS
  • Autobinding: Spring MVC, ASP.NET MVC
  • Object injection: PHP

Example

Suppose there is a form for editing a user's account information:

<form> <input name=userid type=text> <input name=password type=text> <input name=email text=text> <input type=submit> </form>

Here is the object that the form is binding to:

public class User { private String userid; private String password; private String email; private boolean isAdmin; //Getters & Setters }

Here is the controller handling the request:

@RequestMapping(value = "/addUser", method = RequestMethod.POST) public String submit(User user) { userService.add(user); return "successPage"; }

Here is the typical request:

POST /addUser userid=bobbytables&password=hashedpass&email=bobby@tables.com

And here is the exploit:

POST /addUser userid=bobbytables&password=hashedpass&email=bobby@tables.com&isAdmin=true

Exploitability

This functionality becomes exploitable when:

  • Attacker can guess common sensitive fields
  • Attacker has access to source code and can review the models for sensitive fields
  • AND the object with sensitive fields has an empty constructor

Case Studies

GitHub

In 2012, GitHub was hacked using mass assignment. A user was able to upload his public key to any organization and thus make any subsequent changes in their repositories. GitHub's Blog Post

Solutions

  • Whitelist the bindable, non-sensitive fields
  • Blacklist the non-bindable, sensitive fields
  • Use Data Transfer Objects (DTOs)

General Solutions

Data Transfer Objects (DTOs)

An architectural approach is to create Data Transfer Objects and avoid binding input directly to domain objects. Only the fields that are meant to be editable by the user are included in the DTO.

public class UserRegistrationFormDTO { private String userid; private String password; private String email; //NOTE: isAdmin field is not present //Getters & Setters }

Language & Framework Specific Solutions

Spring MVC

Whitelisting

@Controller public class UserController { @InitBinder public void initBinder(WebDataBinder binder, WebRequest request) { binder.setAllowedFields(["userid","password","email"]); } ... }

Reference

Blacklisting

@Controller public class UserController { @InitBinder public void initBinder(WebDataBinder binder, WebRequest request) { binder.setDisallowedFields(["isAdmin"]); } ... }

Reference

NodeJS + Mongoose

Whitelisting

var UserSchema = new mongoose.Schema({ userid  : String, password  : String, email  : String, isAdmin  : Boolean, }); UserSchema.statics = { User.userCreateSafeFields: ['userid', 'password', 'email'] }; var User = mongoose.model('User', UserSchema); _ = require('underscore'); var user = new User(_.pick(req.body, User.userCreateSafeFields));

ReferenceReference

Blacklisting

var massAssign = require('mongoose-mass-assign'); var UserSchema = new mongoose.Schema({ userid  : String, password  : String, email  : String, isAdmin  : { type: Boolean, protect: true, default: false } }); UserSchema.plugin(massAssign); var User = mongoose.model('User', UserSchema); /** Static method, useful for creation **/ var user = User.massAssign(req.body); /** Instance method, useful for updating **/ var user = new User; user.massAssign(req.body); /** Static massUpdate method **/ var input = { userid: 'bhelx', isAdmin: 'true' }; User.update({ '_id': someId }, { $set: User.massUpdate(input) }, console.log);

Reference

Ruby On Rails

Reference

Django

Reference

ASP.NET

Reference

PHP Laravel + Eloquent

Whitelisting

<?php namespace App; use Illuminate\Database\Eloquent\Model; class User extends Model { private $userid; private $password; private $email; private $isAdmin; protected $fillable = array('userid','password','email'); }

Reference

Blacklisting

<?php namespace App; use Illuminate\Database\Eloquent\Model; class User extends Model { private $userid; private $password; private $email; private $isAdmin; protected $guarded = array('isAdmin'); }

Reference

Grails

Reference

Play

Reference

Jackson (JSON Object Mapper)

ReferenceReference

GSON (JSON Object Mapper)

ReferenceReference

JSON-Lib (JSON Object Mapper)

Reference

Flexjson (JSON Object Mapper)

Reference

Authors and Primary Editors

References and future reading

Other Cheatsheets

A Laravel Model makes it very easy to store, read (retrieve), update and delete (CRUD) a resource in a Laravel application. In this post, I am going to show you how to use a laravel model to manage blog posts. I touched on this in my previous post when I talked about using laravel resource controllers here. The Eloquent ORM included with Laravel provides a beautiful, simple ActiveRecord implementation for working with your database. Each database table has a corresponding “Model” which is used to interact with that table.

In my post on laravel resource controllers, I mentioned that you use resource controllers to manage resources. Often, the resources would be stored in a database. That involves using tables to insert, update, query, delete and other operations that make up CRUD. Using our Post as an example (a blog post like the one you are reading right now), we will learn how to create a model for it.

How To Use a Laravel Model – Example Code

Our Post model will extend Eloquent (that makes it an Eloquent model) – which provides most of the methods we will need to work with resources.

Post.php

I have explicitly told Eloquent which table to use above even though I didn’t have to. Eloquent will use the lowercase plural version of the class name; in this case – posts for the table name. Awesome right? That is all you need to have a working model in laravel.

Soft Delete In Laravel Model

One great feature that I like is Soft Deletes.

Soft deletes enable you to delete a blog post without actually deleting it from your table; instead, it adds a deleted_at column. Here is how you can add that functionality to your model.

Mass Assignment in Laravel Models

When you create a Post, you could pass an array of attributes – title, body, author, tags into the constructor of your laravel model. They will then be inserted into the table through mass assignment. This can be a problem security-wise. Why? Someone could insert anything they want into your database – including sql commands. To avoid such a security risk, Eloquent lets you set a protected attribute called $fillable; here is how we do it in our Post laravel model.

There are more attributes you could set for your model, but for now, let us move on to the next step.

Using Laravel Model Create Method

Once you have defined your laravel model, you can create an instance and set the attributes then save it to the database; creating tables is not necessarily covered in this post – will do so in my next post. It is very easy using migrations. Here is how we use the laravel Model Create method to create new resources in your controller.

BlogPostController.php

Fetching Posts From the Database

After storing your blog posts in a table, you can easily fetch and pass them to the view. Here is how you do that in your controller:

Restore My Soul

If you accidentally deleted a post, you can easily restore it by using this simple method;

How awesome is that huh?

I feel like I should stop here and let you digest what we have talked about so far. Next post will show you how to use laravel migrations to create tables – pretty easy stuff. I hope you will join me as I do that probably tomorrow. You can learn more about laravel models here.

If you found this post helpful to you, please consider sharing with your friends using the buttons below and dropping me a line through the comments or even contact me. Thank you for stopping by and keep being awesome!

 

 

classPostextendsEloquent

{

    protected$table="posts"

}

 

 

 

 

useIlluminate\Database\Eloquent\SoftDeletingTrait;

 

classPostextendsEloquent

{

 

    useSoftDeletingTrait;

 

    protected$table="posts";

 

    protected$dates=['deleted_at'];

 

}

 

 

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

 

 

useIlluminate\Database\Eloquent\SoftDeletingTrait;

 

classPostextendsEloquent

{

 

    useSoftDeletingTrait;

 

    protected$table="posts";

 

    //only allow the following items to be mass-assigned to our model

    protected$fillable=array('title','author','body','tag');

 

    protected$dates=['deleted_at'];

 

}

 

 

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

 

 

classBlogPostControllerextendsBaseController

{

 

   //this is from my previous post on laravel resource controllers

   publicfunctionindex(){}

 

   publicfunctioncreate(){}

 

   publicfunctionshow($id){}

 

   publicfunctionstore()

   {

       //get input from a form and create your model then save to db

 

       $post=Post::create(array(

                'title'=>Input::get('title'),

                'author'=>Auth::user()->first,

                'body'  =>Input::get('body'),

                'tag'   =>Input::get('tag')

       ));

       if($post->save())

       {

           returnRedirect::route('posts.index');

       }

   }

 

   publicfunctionedit($id){}

 

   publicfunctionupdate($id){}

 

   publicfunctiondestroy($id){}

 

}

 

 

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

 

 

classBlogPostControllerextendsBaseController

{

 

   //this is from my previous post on laravel resource controllers

   publicfunctionindex()

   {

       //fetch all posts stored in db (those not deleted).

       $posts=Post::all();

 

       //fetch all including soft deleted posts

       $posts=Post::withTrashed()->get();

 

       //fetch only trashed/deleted posts

       $posts=Post::onlyTrashed()->get();

   }

}

 

 

 

 

classBlogPostControllerextendsBaseController

{

 

   publicfunctionrestorePost($id)

   {

      Post::withTrashed()->where('id',$id)->restore();

   }

 

}

 

 

0 thoughts on “Laravel 4 Mass Assignment Update Java

Leave a Reply

Your email address will not be published. Required fields are marked *