Request handler method accepts persistent object as argument JAVA-S1061

Spring request handlers should not allow persistent objects (@Entity and @Document) to be passed through arguments.

Spring automatically binds request parameters to arguments of request handling methods annotated with @RequestMapping, @GetMapping, @PostMapping etc. Persistent objects, i.e. instances of classes annotated with @Entity or @Document, are modified by a persistence framework such as Hibernate.

Having persistent objects as arguments to request handling methods is dangerous because it might allow malicious users to craft input that could beat Spring's security mechanisms. If this practice is followed, in certain cases it might be possible to modify the fields of a table in an unexpected manner.

Bad Practice

@Entity
public class Book {}

@Controller
public class SomeController {
    @PostMapping
    public String saveBook(Book book) {
        bookRepository.save(book);
    }
}

Recommended

Consider introducing a Data Transfer Object (DTO).

public class BookDTO {}

@Controller
public class SomeController {
    @PostMapping
    public String saveBook(BookDTO bookDTO) {
        Book book = new Book();
        // ... map fields manually between `bookDTO` and `book`.
        bookRepository.save(book);
    }
}

References

• OWASP Top Ten (2021) - Category A08 - Software and Data Integrity Failures
• OWASP Top Ten (2021) - Category A01 - Broken Access Control
• OWASP Top Ten (2021) - Category A03 - Injection
• CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
• CWE-502 - Deserialization of Untrusted Data
• Two Security Vulnerabilities in the Spring Framework's MVC (PDF)