Out of Memory !

Enjoy Sharing Technology!

Software,Develope,Devops, Security,TroubleShooting

Sunday, November 14, 2021

Home » , » fortify scan: ASP.NET MVC Bad Practices: Model With Required Non-Nullable Property

fortify scan: ASP.NET MVC Bad Practices: Model With Required Non-Nullable Property

No comments

Abstract:

The model class Checklist has a required non-nullable property and therefore may be susceptible to under-posting attacks.

Explanation:

Using a model class that has non-nullable properties that are required (as marked with the [Required] attribute) can lead to problems if an attacker communicates a request that contains less data than is expected.

The ASP.NET MVC framework will try to bind request parameters to model properties.

If a model has a required non-nullable parameter and an attacker does not communicate that required parameter in a request -- that is, the attacker uses an under-posting attack -- then the property will have the default value (usually zero) which will satisfy the [Required] validation attribute. This may produce unexpected application behavior.

The following code defines a possible model class that has a required enum, which is non-nullable:

public enum ArgumentOptions

{

    OptionA = 1,

    OptionB = 2

}


public class Model

{

    [Required]

    public String Argument { get; set; }


    [Required]

    public ArgumentOptions Rounding { get; set; }

}

Recommendations:

There are a few possible ways to address this problem:

1. Wrap non-nullable types in a Nullable. If an attacker does not communicate a value, then the property will be null and will not satisfy the [Required] validation attribute.

The following code defines a possible model class that wraps an enum with a Nullable (as with the ? after the type of the property):

public enum ArgumentOptions

{

    OptionA = 1,

    OptionB = 2

}


public class Model

{

    [Required]

    public String Argument { get; set; }

    [Required]

    public ArgumentOptions? Rounding { get; set; }

}

2. Define the default value of zero as a safe default or as a known invalid value.

The following code defines a possible model class that has a required enum, which is non-nullable, but has a safe default value:

public enum ArgumentOptions

{

    Default = 0,

    OptionA = 1,

    OptionB = 2

}

public class Model

{

    [Required]

    public String Argument { get; set; }


    [Required]

    public ArgumentOptions Rounding { get; set; }

}


Share:

0 comments:

Post a Comment

Search This Blog

Weekly Pageviews

Translate

Blog Archive