0

I have an API in Spring Boot. In the controller layer, any POST that has a custom object annotated with @RequestBody flags Snyk security findings in the security pipeline.

For example:

public ResponseEntity<CustomObject> getCustomObject(@RequestBody CustomRequest customRequest) {
  // code
}

The security report would show:

✗ [Low] Spring Cross-Site Request Forgery (CSRF) 

Controller: Line 10

Info: The request parameter is vulnerable to Cross Site Request Forgery (CSRF) attacks due to not using Spring Security. This could allow an attacker to execute requests on a user's behalf. Consider including Spring Security's CSRF protection within your application.

If I remove the @RequestBody, the security report doesn't flag it anymore.

I have tried other validations such as @Valid and @Validated, as well as field value annotations on the object, but nothing works. I am wondering if there is a way around this without having to write a custom deserializer instead of using @RequestBody or adding it as a false positive.

Improve this question
1
  • 3
    Enable CSRF protection or simply ignore the warning. Commented Feb 1 at 7:39

1 Answer 1

Reset to default
0

I have tried other validations such as @Valid and @Validated, as well as field value annotations on the object, but nothing works. I am wondering if there is a way around this without having to write a custom deserializer instead of using @RequestBody or adding it as a false positive.

This has nothing to do with @RequestBody in particular.

You probably disabled (or didn't configure) CSRF in your security configuration.

If you are only creating a service that is used by non-browser clients, you will likely want to disable CSRF protection

more information about csrf can be found in the official spring security documentation

here is an example of a configuration file taken from the getting started page

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
@EnableWebSecurity
public class WebSecurityConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
            .authorizeHttpRequests((requests) -> requests
                .requestMatchers("/", "/home").permitAll()
                .anyRequest().authenticated()
            )
            .formLogin((form) -> form
                .loginPage("/login")
                .permitAll()
            )
            .logout((logout) -> logout.permitAll());

        return http.build();
    }

    @Bean
    public UserDetailsService userDetailsService() {
        UserDetails user =
             User.withDefaultPasswordEncoder()
                .username("user")
                .password("password")
                .roles("USER")
                .build();

        return new InMemoryUserDetailsManager(user);
    }
}

If you don't have this in any shape or form, I suggest you start there.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

I already have the web security filters with csrf disabled. If i enable csrf, it still flags the controller methods that use RequestBody. If I remove RequestBody, it no longer flags them. My question was, what is the reasoning behind flagging it as vulnerable when using RequestBody
@Ddeokbokki The fact that you can send data to that endpoint is what makes your endpoint vulnerable. If your endpoint doesn't accept data, then an attacker can't manipulate your system
In the Spring docs you sent, it did say the following: 'If an application were not validating the Content-Type, then it would be exposed to this exploit.' Simply updating my API with 'consumes = MediaType.APPLICATION_JSON_VALUE' has removed the warning.
@Ddeokbokki Makes sense. If your endpoint expects application / json then it is not serving browsers, which is coherent with what i wrote in the answer.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.