I'm using a pretty vanilla spring-boot-starter-data-rest setup and enabled the PATCH method. All is working, but I have a security concern and wonder what's the recommended way of mitigating it.
The problem is that PATCH paths allow reachable entities to be updated from a different endpoint. So, suppose I have a comments endpoint and an article endpoint. Each comment has a to-one association with its article. A user that has permission to edit a comment could then do something like this:
PATCH http://some.domain.foo/api/comments/1234
Content-Type: application/json-patch+json
[
{ "op": "replace", "path": "/article/title", "value": "foobar2" }
]
and thereby change the title of the article !!
Clearly this ain't good.
In this case, for other parts of the API the association to the "article" needs to be traversable. But it must be read-only.
So... how do I accomplish this in Spring?
Intercept the request? Implement a handler method? Write my own Controller from scratch ?
Thanks!
Seems that current implementation on spring-data-rest converts paths to SpEL to apply values directly on beans. See PatchOperation (v2.5.x).
Consider these options:
- Instead of json-patch use json-merge PATCH request to send partial updates (with "application/json" or "application/merge-patch+json" content type). This will respect
@JsonIgnoreand other Jackson annotations and also treat associations differently. - You can disable "json-patch+json" completely, for example by adding a security filter
- You can always create your custom json-patch implementation, if you still need it
- Use application-level joining not relying on JPA, i.e. only exposing IDs of the linked entities and providing custom links in your
ResourceProcessor.
Additionally, if you're using JPA and Comment.article is annotated with @ManyToOne make sure that there's no cascading on association. Even if the article object is modified with patch it won't be saved together with the comment.