tag:blogger.com,1999:blog-2408001626957860443.post7746939143890041265..comments2018-04-15T11:21:18.933+01:00Comments on Thoughts.: What Grails developers can learn from the Github/Rails Mass Assignment VulnerabilityUnknownnoreply@blogger.comBlogger6125tag:blogger.com,1999:blog-2408001626957860443.post-24670474672199636372012-03-14T00:32:30.511+00:002012-03-14T00:32:30.511+00:00Thank Phuong! I'll take a look at it.Thank Phuong! I'll take a look at it.Anonymoushttps://www.blogger.com/profile/03563480971615841035noreply@blogger.comtag:blogger.com,1999:blog-2408001626957860443.post-15379240428747754332012-03-13T22:11:52.418+00:002012-03-13T22:11:52.418+00:00Hi, I took a first crack at making a Grails plugin...Hi, I took a first crack at making a Grails plugin that implements your dataBindable static attribute. It basically just hooks the 2 domain class extensions that are added by the Controller plugin. I still need to add an ability to intercept the 2-arg bindData method and I'd like to add a "strict" configuration such that if it's enabled, then the default dataBindable is an empty list.<br /><br />Here it is on Github, but plan on sending a message to mailing list to get it added: https://github.com/plecong/grails-safebindablePhuonghttps://github.com/plecongnoreply@blogger.comtag:blogger.com,1999:blog-2408001626957860443.post-41850150784633598422012-03-06T18:22:41.781+00:002012-03-06T18:22:41.781+00:00I'm wondering if CodeNarc rules could be writt...I'm wondering if CodeNarc rules could be written to help point these sorts of "bad design" out. Sort of like having a senior level developer always available on your project. Unfortuantely, it takes time to understand the nuances of these frameworks, and most of these new convention-over-configuration frameworks roll out these bad designs in the early tutorials so that they become frozen accidents, almost impossible to root out of the dev community. Static analysis tools would certainly help.Anonymoushttps://www.blogger.com/profile/01154315948247678050noreply@blogger.comtag:blogger.com,1999:blog-2408001626957860443.post-35214556863863478192012-03-06T17:27:59.797+00:002012-03-06T17:27:59.797+00:00Very nice write up.
I always thought binding dire...Very nice write up.<br /><br />I always thought binding directly to "params" was fraught with peril.Jasenhttps://www.blogger.com/profile/17612368694261383142noreply@blogger.comtag:blogger.com,1999:blog-2408001626957860443.post-86728000094443151372012-03-06T03:54:52.864+00:002012-03-06T03:54:52.864+00:00Thanks Jason. I wish I could have made it more con...Thanks Jason. I wish I could have made it more concise :-)<br /><br />The more I think about this, it seems that there should be some way of identifying non-protected properties that are suitable for potentially insecure operations. Perhaps the name "dataBindable" is too specific in this case...Anonymoushttps://www.blogger.com/profile/03563480971615841035noreply@blogger.comtag:blogger.com,1999:blog-2408001626957860443.post-12390095830179003182012-03-06T03:48:43.888+00:002012-03-06T03:48:43.888+00:00Nice concise assessment of things. I agree with yo...Nice concise assessment of things. I agree with you on the property in the domain class.Jason Davisnoreply@blogger.com