Grails

Controller classes allow you to change data in the database through fraudulent requests

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Major Major
  • Resolution: Not A Bug
  • Affects Version/s: 1.3.7
  • Fix Version/s: None
  • Component/s: Controllers
  • Labels:
    None
  • Environment:
    Windows Vista - STS 2.8.1

Description

Suppose your system has the following domain classes: User and Product.

User

  • String name
  • String address

Product

  • String name
  • String description
  • User owner <== One to Many Relationship Between User and Product

To create a new product for the owner with id = 1, you can submit the following request:

http://localhost:8080/aplicationName/product/create?owner.id=1

But, if you submit the following request, you will be able to change the name of the User with id = 1

http://localhost:8080/aplicationName/product/create?owner.id=1&owner.name=newName

-------------------------------------------------- ----------------------------------------------

Now suppose the existence of another class named Client.

Client

  • String name
  • String address

If you submit a POST request similar to the URL below, you will be able to change data in the client table.

http://localhost:8080/aplicationName/product/save?name=TV Samsung&description=Very good&client.id=1&client.name=newName

I know that the request above is a GET request, but submitting a POST request with these request parameters (client.id=1&client.name=newName) you will be able to change the name of the client with id=1.

This same behavior occurs with the update action.

On my system i solved this problem using the method discard() on the objects that should not be changed, but I think you need to take care of this problem urgently.

Thanks,
Carlos Ribeiro

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Burt Beckwith added a comment -

How are we supposed to differentiate between a fraudulent request and one that intentionally supports adding a Product and editing the User at the same time?

Show
Burt Beckwith added a comment - How are we supposed to differentiate between a fraudulent request and one that intentionally supports adding a Product and editing the User at the same time?
Hide
Permalink
Burt Beckwith added a comment -

Nothing is forcing you to use the generated controller code, e.g. "def instance = new Whatever(params)". You can extract data from the params object manually, or use the bindData method; see "Data Binding and Security concerns" in the docs: http://grails.org/doc/latest/guide/theWebLayer.html#dataBinding

Show
Burt Beckwith added a comment - Nothing is forcing you to use the generated controller code, e.g. "def instance = new Whatever(params)". You can extract data from the params object manually, or use the bindData method; see "Data Binding and Security concerns" in the docs: http://grails.org/doc/latest/guide/theWebLayer.html#dataBinding
Hide
Permalink
Carlos Ribeiro added a comment -

Instead of assigning the request parameters as follows:

ProdutoInstance product = new Product (params)

i tried something like this:

ProdutoInstance product = new Product ()

productInstance.name = params.name
productInstance.description = params.description
productInstance.owner Product.get = (params ['owner.id'] as long)

But this did not prevent a request like the one below to change the name of the owner of a product.

http://localhost:8080/aplicationName/product/save?name=TV&description=Good&owner.id=1&owner.name=newName

Sorry, but i did not found a solution for this problem in the documentation.

Show
Carlos Ribeiro added a comment - Instead of assigning the request parameters as follows: ProdutoInstance product = new Product (params) i tried something like this: ProdutoInstance product = new Product () productInstance.name = params.name productInstance.description = params.description productInstance.owner Product.get = (params ['owner.id'] as long) But this did not prevent a request like the one below to change the name of the owner of a product. http://localhost:8080/aplicationName/product/save?name=TV&description=Good&owner.id=1&owner.name=newName Sorry, but i did not found a solution for this problem in the documentation.
Hide
Permalink
Carlos Ribeiro added a comment -

Just correcting the previous post that has some mistakes.

Instead of assigning the request parameters as follows:

Product productInstance = new Product (params)

i tried something like this (extracting data from the params object manually):

Product productInstance = new Product ()

productInstance.name = params.name
productInstance.description = params.description
productInstance.owner = Product.get = (params ['owner.id'] as long)

But this did not prevent a request like the one below to change the name of the owner of a product.

http://localhost:8080/aplicationName/product/save?name=TV&description=Good&owner.id=1&owner.name=newName

Sorry, but i did not find a solution for this problem in the documentation.

Show
Carlos Ribeiro added a comment - Just correcting the previous post that has some mistakes. Instead of assigning the request parameters as follows: Product productInstance = new Product (params) i tried something like this (extracting data from the params object manually): Product productInstance = new Product () productInstance.name = params.name productInstance.description = params.description productInstance.owner = Product.get = (params ['owner.id'] as long) But this did not prevent a request like the one below to change the name of the owner of a product. http://localhost:8080/aplicationName/product/save?name=TV&description=Good&owner.id=1&owner.name=newName Sorry, but i did not find a solution for this problem in the documentation.
Hide
Permalink
Burt Beckwith added a comment -

Please create a small test app that demonstrates this. Run "grails bug-report" and attach the generated zip file here and I'll take a look.

Show
Burt Beckwith added a comment - Please create a small test app that demonstrates this. Run "grails bug-report" and attach the generated zip file here and I'll take a look.
Hide
Permalink
Carlos Ribeiro added a comment -

How do i attach the zip file here?

Show
Carlos Ribeiro added a comment - How do i attach the zip file here?
Hide
Permalink
Burt Beckwith added a comment -

I've reopened it so you can attach files.

Show
Burt Beckwith added a comment - I've reopened it so you can attach files.
Hide
Permalink
Carlos Ribeiro added a comment -

To see what i mean as a problem, just execute the application and submit this URL:

http://localhost:8080/test/product/save?name=TV&description=good&user.id=2&user.name=newName

and you will see that the name of the user with id=2 was changed from Jorge to newName.

Show
Carlos Ribeiro added a comment - To see what i mean as a problem, just execute the application and submit this URL: http://localhost:8080/test/product/save?name=TV&description=good&user.id=2&user.name=newName and you will see that the name of the user with id=2 was changed from Jorge to newName.
Hide
Permalink
Carlos Ribeiro added a comment -

I think i understood what is going on. A persistent object is being retrieved from the database and assigned to the user field of ProductCommand. Then the ProductCommand object is being updated and that propagates the update to the database. That's it, right?

Show
Carlos Ribeiro added a comment - I think i understood what is going on. A persistent object is being retrieved from the database and assigned to the user field of ProductCommand. Then the ProductCommand object is being updated and that propagates the update to the database. That's it, right?
Hide
Permalink
Carlos Ribeiro added a comment -

Sorry to bother you, in order to understand what is happening. I realised that the user field of the ProductCommand class should be transient or of type UserCommand. Sorry about that.

Show
Carlos Ribeiro added a comment - Sorry to bother you, in order to understand what is happening. I realised that the user field of the ProductCommand class should be transient or of type UserCommand. Sorry about that.
Hide
Permalink
Carlos Ribeiro added a comment -

To solve the problem of possible fraudulent requests, i stopped using closures for command validation, i e, i replaced the following lines

{class ProductController
...
def save = {
ProductCommand pc ->

if (pc.hasErrors ())

{ render (view: "create", model: [productInstance: pc]) }

else
{
...

by this lines of code:

{class ProductController
...
def save = {
ProductCommand pc = new ()
BindData (cp, params, [include: ['name', 'description', 'user']])
pc.validate ()
if (pc.hasErrors ())

{ render (view: "create", model: [productInstance: pc]) }

else
{
ProductInstance product = new Product ()
BindData (productInstance, params, [include: ['name', 'description', 'user']])
if (productInstance.save (flush: true))
...

The problem is that now i am experiencing the following error when I run the validate() method on the ProductCommand object:

No signature of method: model.ProductCommand.validate () is Applicable for argument types: () values: []

But this error only happened when i removed from the ProductController the last closure that was validating de command object.

So if i add the action below (that uses a closure to validate a ProductComand object) to the ProductController, the error disappers:

def abc =

{ ProductCommand pc -> pc.validate () }

Should I create a new issue for this problem?

Show
Carlos Ribeiro added a comment - To solve the problem of possible fraudulent requests, i stopped using closures for command validation, i e, i replaced the following lines {class ProductController ... def save = { ProductCommand pc -> if (pc.hasErrors ()) { render (view: "create", model: [productInstance: pc]) } else { ... by this lines of code: {class ProductController ... def save = { ProductCommand pc = new () BindData (cp, params, [include: ['name', 'description', 'user'] ]) pc.validate () if (pc.hasErrors ()) { render (view: "create", model: [productInstance: pc]) } else { ProductInstance product = new Product () BindData (productInstance, params, [include: ['name', 'description', 'user'] ]) if (productInstance.save (flush: true)) ... The problem is that now i am experiencing the following error when I run the validate() method on the ProductCommand object: No signature of method: model.ProductCommand.validate () is Applicable for argument types: () values: [] But this error only happened when i removed from the ProductController the last closure that was validating de command object. So if i add the action below (that uses a closure to validate a ProductComand object) to the ProductController, the error disappers: def abc = { ProductCommand pc -> pc.validate () } Should I create a new issue for this problem?
Hide
Permalink
Jeff Brown added a comment -

This doesn't look like a bug.

Show
Jeff Brown added a comment - This doesn't look like a bug.
Hide
Permalink
Carlos Ribeiro added a comment -

Not a Bug? It was fixed in Grails 2.

Show
Carlos Ribeiro added a comment - Not a Bug? It was fixed in Grails 2.
Hide
Permalink
Jeff Brown added a comment -

Who fixed it?

Show
Jeff Brown added a comment - Who fixed it?
Hide
Permalink
Jeff Brown added a comment -

I don't think the behavior described in the description is a bug and I am not sure what might have been fixed about it. Anyone?

Show
Jeff Brown added a comment - I don't think the behavior described in the description is a bug and I am not sure what might have been fixed about it. Anyone?
Hide
Permalink
Carlos Ribeiro added a comment -

ok, perhaps not a bug, but a not desired characteristic. In Grails 2 this characteristic does not exist anymore.

Show
Carlos Ribeiro added a comment - ok, perhaps not a bug, but a not desired characteristic. In Grails 2 this characteristic does not exist anymore.

People

  • Assignee:
    Unassigned
    Reporter:
    Carlos Ribeiro
Vote (0)
Watch (2)

Dates

  • Created:
    Updated:
    Resolved: