DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
Java

Java

Made by DeepSource
Use Analyzer

@RequestMapping must restrict the allowed HTTP methods JAVA-S1065

Security
Critical
 a05 cwe-352 a04 owasp top 10

Request handlers annotated with @RequstMapping must limit the allowed HTTP methods.

Request handlers annotated with @RequstMapping are mapped to all HTTP request methods. For security reasons, CSRF protection is disabled for GET, HEAD, TRACE, and OPTIONS requests by default. If a request handler annotated with @RequestMapping happens to modify application state and the allowed HTTP method is not narrowed down to POST, PUT, DELETE, and/or PATCH, such misconfigurations can make your application susceptible to CSRF attacks.

Bad Practice

@RequestMapping("/path")
public void saveToDB() {
    // ...proceed to modify application state
}

Recommended

When using @RequestMapping, make sure to always limit which HTTP methods are allowed.

@RequestMapping(value = "/path", method = RequestMethod.POST)
 public void saveToDB() {
    // ...proceed to modify application state
}

References

  • OWASP Top Ten (2021) - Category A04 - Insecure Design
  • OWASP Top Ten (2021) - Category A05 - Security Misconfiguration
  • CWE-352 - Cross-Site Request Forgery (CSRF)
  • Baeldung - [A Guide to CSRF Protection in Spring Security]j(https://www.baeldung.com/spring-security-csrf)