• Home
• io.codemodder
• core-codemods
• 0.95.0
• source code
• description.md

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

io.codemodder.codemods.VerbTamperingCodemod.description.md Maven / Gradle / Ivy

The `web.xml` specification offers a way to protect certain parts of your URL space. Unfortunately, it doesn't work the way people think it does, developers who are trying to enhance their security often end up accidentally exposing those parts they were trying to protect.

Consider the following `web.xml`, which is trying to restrict the `/admin/*` space to only those with the `admin` role:
```xml

  
    /admin/*
    GET
    POST
  
  
    admin
  

```

This protection works as expected with one regrettable caveat. Notice that the `GET` and `POST` methods are specifically listed. Developers often specify methods like this because they want to further control what types of methods can access the given resource.

Unfortunately, the logic of the mechanism is surprising. Specifying method(s) means if a user issues another HTTP method besides the ones listed, like in this case, `HEAD`, `PUT`, or even a nonsense verb like `JEFF`, the protection will not be deemed to apply to the given ``, and the requester will be granted unfettered access.

Our change is simple: any place we see `` listed in a ``, we remove it:

```diff
  
    
      admin
    
    
      /admin/*
-     GET
-     POST
    
  
```

Taking out all the `` entries tells the server that this protection must be enforced for all methods, which is almost always the intent of the developer.