Question

假设我们有这个豆

#include "pch.h"
#define _WINSOCK_DEPRECATED_NO_WARNINGS

#include <iostream>
#include <string>
#include <fstream>
#include <WinSock2.h>
#pragma comment( lib, "Ws2_32.lib" )

int main()
{
    char word[255];
    std::fstream stream;
    stream.open("Text.txt");
    stream >> word;
    std::cout << word << "\n";

    WSADATA wsa_Data;
    WSAStartup(0x101, &wsa_Data);

    char buffer[255];
    gethostname(buffer, 255);
    std::cout << buffer << std::endl;

    WSACleanup();

    if (word == buffer)
    {
        std::cout << "Welcome!\n";

        for (int i = 0; i < 3; ++i)
        {
            std::cout << ".";
                Sleep(300);
        }
        std::cout << std::endl;
    }
    else
    {
        std::cout << "You can't access this program from that PC!\n";
        Sleep(200);
        exit(1);
    }

    getchar();

    return 0;
}

现在在Employee UI中，我们有这样的东西：

public class Bean {
   @NotBlank(groups = {CheckForEmployee.class, CheckForAdmins.class})
   private String sth1;

   @NotBlank(groups = {CheckForAdmins.class})
   private String sth2;

   //getters and setters
}

这是给管理员的：

<input name="sth1" type="text" />

我们都知道像Spring这样的框架可以将这些值绑定到Bean对象，例如在Spring中，我们有这样的东西：

<input name="sth1" type="text" />
<input name="sth2" type="text" />

现在这是问题：如果恶意员工知道管理员有一个名为“ sth2” 的字段，他可以手动生成一个发布请求并投入价值 sth2 并将其发送到服务器。

Spring将绑定此值，因为：

该字段位于Bean类内部
没有针对员工的sth2验证

您对此有何解决方案？

假设CSRF已禁用，我们仍然想使用弹簧绑定

Answer 1

public class Bean {

    @NotBlank(groups = Validator.CheckForEmployee.class)
    private String sth1;


    @BlockAccess(groups = Validator.CheckForEmployee.class)
    @NotBlank(groups = Validator.CheckForAdmin.class)
    private String sth2;

    //getters and setters
}

public class Validator {
    public interface CheckForEmployee{}
    public interface CheckForAdmin{}
}


@Target({ElementType.FIELD, ElementType.METHOD})
@Retention(RetentionPolicy.RUNTIME)
@Constraint(validatedBy = BlockAccessImpl.class)
@Documented
public @interface BlockAccess {
    String message() default "Access is denied!";

    Class<?>[] groups() default {};

    Class<? extends Payload>[] payload() default {};

}

public class BlockAccessImpl implements ConstraintValidator<BlockAccess, Object> {

    @Override
    public void initialize(BlockAccess constraintAnnotation) {

    }

    @Override
    public boolean isValid(Object value, ConstraintValidatorContext context) {
        return false;
    }
}

public class Test {

    public static void main(String[] args) {
        ValidatorFactory factory = Validation.buildDefaultValidatorFactory();
        Validator validator = factory.getValidator();
        Bean b = new Bean();
        b.setSth1("Hi");
        b.setSth2("Bye");

        Set<ConstraintViolation<Bean>> s = validator.validate(b, Validator.CheckForEmployee.class);

        for (ConstraintViolation<Bean> f : s) {
            System.out.println(f.getPropertyPath() + " " + f.getMessage());
        }
    }
}

sth2访问被拒绝！

JSR-303 bean验证-避免绕过字段

1 个答案: