I'm using a pretty vanilla spring-boot-starter-data-rest
setup and enabled the PATCH
method. All is working, but I have a security concern and wonder what's the recommended way of mitigating it.
The problem is that PATCH
path
s allow reachable entities to be updated from a different endpoint. So, suppose I have a comments
endpoint and an article
endpoint. Each comment has a to-one association with its article. A user that has permission to edit a comment could then do something like this:
PATCH http://some.domain.foo/api/comments/1234
Content-Type: application/json-patch+json
[
{ "op": "replace", "path": "/article/title", "value": "foobar2" }
]
and thereby change the title of the article !!
Clearly this ain't good.
In this case, for other parts of the API the association to the "article" needs to be traversable. But it must be read-only.
So... how do I accomplish this in Spring?
Intercept the request? Implement a handler method? Write my own Controller from scratch ?
Thanks!
It uses the results of the login call to set the value of the token variable, and if the token is present, the protected call sends the token in the authorization header. The server will use that token to validate the user's auth when the user accesses the secure endpoint.
The PATCH HTTP method requires a request body. The body of the request must contain representation of the JSON Patch operations that you want to perform on the resource.
Seems that current implementation on spring-data-rest converts paths to SpEL to apply values directly on beans. See PatchOperation (v2.5.x).
Consider these options:
@JsonIgnore
and other Jackson annotations and also treat associations differently.ResourceProcessor
.Additionally, if you're using JPA and Comment.article
is annotated with @ManyToOne
make sure that there's no cascading on association. Even if the article object is modified with patch it won't be saved together with the comment.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With