Java

Java

By DeepSource

@RequestMapping must restrict the allowed HTTP methods JAVA-S1065

Security

Request handlers annotated with @RequstMapping must limit the allowed HTTP methods.

Request handlers annotated with @RequstMapping are mapped to all HTTP request methods. For security reasons, CSRF protection is disabled for GET, HEAD, TRACE, and OPTIONS requests by default. If a request handler annotated with @RequestMapping happens to modify application state and the allowed HTTP method is not narrowed down to POST, PUT, DELETE, and/or PATCH, such misconfigurations can make your application susceptible to CSRF attacks.

Bad Practice

@RequestMapping("/path")
public void saveToDB() {
    // ...proceed to modify application state
}

Recommended

When using @RequestMapping, make sure to always limit which HTTP methods are allowed.

@RequestMapping(value = "/path", method = RequestMethod.POST)
 public void saveToDB() {
    // ...proceed to modify application state
}

References

  • OWASP Top Ten (2021) - Category A04 - Insecure Design
  • OWASP Top Ten (2021) - Category A05 - Security Misconfiguration
  • CWE-352 - Cross-Site Request Forgery (CSRF)
  • Baeldung - [A Guide to CSRF Protection in Spring Security]j(https://www.baeldung.com/spring-security-csrf)