Unintended property updates expose sensitive data

문서 > Datadog 보안 > Code Security > Static Code Analysis (SAST) > SAST Rules > Unintended property updates expose sensitive data

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

ID: csharp-security/avoid-autobinding

Language: C#

Severity: Warning

Category: Security

CWE: 915

Description

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

If the object contains attributes that were only intended for internal use, then their unexpected modification could lead to a vulnerability.

This weakness is sometimes known by the language-specific mechanisms that make it possible, such as mass assignment, autobinding, or object injection.

Learn More

CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes

Non-Compliant Code Examples

using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using WebGoatCore.ViewModels;

namespace WebGoatCore.Controllers
{
    [AllowAnonymous]
    [IgnoreAntiforgeryToken]
    public class StatusCodeController : Controller
    {
        public const string NAME = "StatusCode";

        public StatusCodeController()
        {
            mycall = mycall + 1;
            View(mycall));
        }

        [HttpGet, Route(NAME)]
        public IActionResult StatusCodeView([FromQuery] int code, int morecode, [Bind] int some)
        {
            var foo = bar + baz;
            var view = View(StatusCodeViewModel.Create(new ApiResponse(code)));
            view.StatusCode = code;
            return view;
        }


        public OtherStatusCodeController()
        {
            View(mycall));
        }
    }
}

Compliant Code Examples

using Microsoft.AspNetCore.Authorization;
using WebGoatCore.ViewModels;

namespace WebGoatCore.Controllers
{
    [AllowAnonymous]
    [IgnoreAntiforgeryToken]
    public class StatusCodeController : Controller
    {
        public const string NAME = "StatusCode";

        public StatusCodeController()
        {
            mycall = mycall + 1;
            View(mycall));
        }

        [HttpGet, Route(NAME)]
        public IActionResult StatusCodeView(int code, int morecode, [Bind] int some)
        {
            var view = View(StatusCodeViewModel.Create(new ApiResponse(morecode)));
            view.StatusCode = code;
            return view;
        }


        public OtherStatusCodeController()
        {
            View(mycall));
        }
    }
}

using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using WebGoatCore.ViewModels;

namespace WebGoatCore.Controllers
{
    [AllowAnonymous]
    [IgnoreAntiforgeryToken]
    public class StatusCodeController : Controller
    {
        public const string NAME = "StatusCode";

        public StatusCodeController()
        {
            mycall = mycall + 1;
            View(mycall));
        }

        [HttpGet, Route(NAME)]
        public NotIActionResult StatusCodeView([FromQuery] int code, int morecode, [Bind] int some)
        {
            var view = View(StatusCodeViewModel.Create(new ApiResponse(code)));
            view.StatusCode = code;
            return view;
        }


        public OtherStatusCodeController()
        {
            View(mycall));
        }
    }
}

using Microsoft.AspNetCore.Authorization;
using WebGoatCore.ViewModels;

namespace WebGoatCore.Controllers
{
    [AllowAnonymous]
    [IgnoreAntiforgeryToken]
    public class StatusCodeController : Controller
    {
        public const string NAME = "StatusCode";

        public StatusCodeController()
        {
            mycall = mycall + 1;
            View(mycall));
        }

        [HttpGet, Route(NAME)]
        public IActionResult StatusCodeView([Bind] int code, int morecode, [Bind] int some)
        {
            var view = View(StatusCodeViewModel.Create(new ApiResponse(morecode)));
            view.StatusCode = code;
            return view;
        }


        public OtherStatusCodeController()
        {
            View(mycall));
        }
    }
}

using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using WebGoatCore.ViewModels;

namespace WebGoatCore.Controllers
{
    [AllowAnonymous]
    [IgnoreAntiforgeryToken]
    public class StatusCodeController : Controller
    {
        public const string NAME = "StatusCode";

        public StatusCodeController()
        {
            mycall = mycall + 1;
            View(mycall));
        }

        [HttpGet, Route(NAME)]
        public IActionResult StatusCodeView([FromQuery] int code, int morecode, [Bind] int some)
        {
            try {
                validateCode(code);
            } catch exception(e) {
                return View(401);
            }
            var view = View(StatusCodeViewModel.Create(new ApiResponse(code)));
            view.StatusCode = code;
            return view;
        }


        public OtherStatusCodeController()
        {
            View(mycall));
        }
    }
}