Spring框架中的大量赋值漏洞分析与CodeQL挖掘技术<\/h1>

1. 大量赋值漏洞概述<\/h2>

1.1 基本概念<\/h3>
大量赋值(Mass Assignment)漏洞是指后端为了简化开发流程，自动将请求参数绑定到后端对象的属性上，但开发者没有限制哪些字段可以被赋值，导致攻击者可能注入原本不应由用户控制的敏感字段。<\/p>

1.2 常见表现形式<\/h3>

在获取用户列表请求中FUZZ SQL关键字<\/p>

示例：\/api\/user?name=ad&orderby=id&sort=desc,1\/0&limit=0,1 PROCEDURE ANALYSE(..)<\/code><\/li> <\/ul> <\/li>


在注册账号场景中FUZZ内部字段<\/p>

示例：尝试设置role=admin<\/code>或isAdmin=true<\/code><\/li>
<\/ul>
<\/li>
<\/ol>
1.3 漏洞本质<\/h3>
后端接收了本不应暴露给用户的字段并进行处理，特别是当框架自动将请求参数绑定到对象属性时，如果没有适当的限制机制。<\/p>
2. Spring框架中的大量赋值漏洞<\/h2>
2.1 Spring框架简介<\/h3>
Spring Framework是一个开源的Java应用程序开发框架，以其轻量级、模块化和强大的依赖注入(DI)与面向切面编程(AOP)特性而广受欢迎。<\/p>
2.2 @RequestBody注解的风险<\/h3>
在Spring Web开发中，@RequestBody<\/code>注解能够将HTTP请求体中的JSON、XML等结构化数据反序列化为Java对象。这种自动映射机制可能引入安全隐患：<\/p>

自动绑定请求体数据到对象属性<\/li>
如果没有字段限制，攻击者可注入敏感字段<\/li>
可能导致权限提升等安全问题<\/li>
<\/ul>
2.3 漏洞示例分析<\/h3>
2.3.1 用户注册功能示例<\/h4>
User类定义<\/strong>：<\/p>
public<\/span> class<\/span> User<\/span> {<\/span>
<\/span><\/span>    private<\/span> String username;<\/span>
<\/span><\/span>    private<\/span> String password;<\/span>
<\/span><\/span>    private<\/span> String role;<\/span>  \/\/ 默认为"user"
<\/span><\/span><\/span><\/span>    \/\/ getters and setters
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>Controller代码<\/strong>：<\/p>
@PostMapping<\/span>(<\/span>"\/register"<\/span>)<\/span>
<\/span><\/span>public<\/span> String register<\/span>(<\/span>@RequestBody<\/span> User user)<\/span> {<\/span>
<\/span><\/span>    userService.<\/span>save<\/span>(<\/span>user);<\/span>  \/\/ 直接保存用户对象
<\/span><\/span><\/span><\/span>    return<\/span> "注册成功"<\/span>;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>数据库表结构<\/strong>：<\/p>
CREATE<\/span> TABLE<\/span> User<\/span> (
<\/span><\/span>    username VARCHAR(255<\/span>),
<\/span><\/span>    password VARCHAR(255<\/span>),
<\/span><\/span>    role<\/span> VARCHAR(255<\/span>) DEFAULT<\/span> 'user'<\/span>
<\/span><\/span>);
<\/span><\/span><\/code><\/pre>前端请求<\/strong>：<\/p>
{
<\/span><\/span>    "username"<\/span>: "attacker"<\/span>,
<\/span><\/span>    "password"<\/span>: "123456"<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>攻击者请求<\/strong>：<\/p>
{
<\/span><\/span>    "username"<\/span>: "attacker"<\/span>,
<\/span><\/span>    "password"<\/span>: "123456"<\/span>,
<\/span><\/span>    "role"<\/span>: "admin"<\/span>  \/\/ 注入管理员权限
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.3.2 修复方案<\/h4>
在保存前显式设置role字段：<\/p>
@PostMapping<\/span>(<\/span>"\/register"<\/span>)<\/span>
<\/span><\/span>public<\/span> String register<\/span>(<\/span>@RequestBody<\/span> User user)<\/span> {<\/span>
<\/span><\/span>    user.<\/span>setRole<\/span>(<\/span>"user"<\/span>);<\/span>  \/\/ 显式设置角色
<\/span><\/span><\/span><\/span>    userService.<\/span>save<\/span>(<\/span>user);<\/span>
<\/span><\/span>    return<\/span> "注册成功"<\/span>;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3. 使用CodeQL挖掘大量赋值漏洞<\/h2>
3.1 CodeQL分析目标<\/h3>
通过CodeQL查找：<\/p>

使用@RequestBody<\/code>注解的参数<\/li>
参数类型为指定的数据结构<\/li>
未使用显式调用setter方法进行字段赋值<\/li>
<\/ol>
3.2 分析步骤详解<\/h3>
3.2.1 查找使用@RequestBody注解的参数<\/h4>
参考官方annotations-in-java案例：<\/p>
from Parameter p
where p.getAnAnnotation().getType().hasQualifiedName("org.springframework.web.bind.annotation", "RequestBody")
select p
<\/code><\/pre>
3.2.2 筛选特定类型的参数<\/h4>
定义绑定参数类型（示例中为org.linlinjava.litemall.db.domain<\/code>包下，符合LitemallXXX<\/code>命名格式）：<\/p>
predicate isTargetType(RefType r) {
    r.getPackage().getName() = "org.linlinjava.litemall.db.domain" and
    r.getName().matches("Litemall%")
}
<\/code><\/pre>
整合为BodyParameter<\/code>类：<\/p>
class BodyParameter extends Parameter {
    BodyParameter() {
        this.getAnAnnotation().getType().hasQualifiedName("org.springframework.web.bind.annotation", "RequestBody") and
        isTargetType(this.getType())
    }
}
<\/code><\/pre>
3.2.3 查找未显式调用的setter方法<\/h4>
定义SetterMethod<\/code>类：<\/p>
class SetterMethod extends Method {
    SetterMethod() {
        this.isPublic() and
        this.getName().matches("set%") and
        this.getNumberOfParameters() = 1
    }
}
<\/code><\/pre>
查询未显式调用的setter：<\/p>
from BodyParameter bp, SetterMethod sm
where not exists(MethodAccess ma | 
    ma.getMethod() = sm and 
    ma.getEnclosingCallable() = bp.getCallable()
)
select bp, sm
<\/code><\/pre>
3.2.4 优化查询：限制用户可访问API<\/h4>
添加可访问性限制：<\/p>
\/\/ 添加可访问性条件
where ...
and bp.getCallable().getDeclaringType().getASupertype*().hasQualifiedName("org.springframework.web.bind.annotation", "RestController")
<\/code><\/pre>
3.2.5 变量传递优化<\/h4>
确保参数传递到service层处理：<\/p>
class ServiceClass extends RefType {
    ServiceClass() {
        this.getName().matches("%Service") and
        this.getPackage().getName() = "org.linlinjava.litemall.db.service"
    }
}

\/\/ 添加数据流分析
where ...
and exists(DataFlow::Node source, DataFlow::Node sink |
    DataFlow::localFlow(source, sink) and
    source.asExpr() = bp.getAnAccess() and
    sink.asExpr().(MethodAccess).getMethod().getDeclaringType() instanceof ServiceClass
)
<\/code><\/pre>
3.2.6 处理getter方法调用<\/h4>
过滤掉使用getter方法对应的setter方法：<\/p>
class GetterMethod extends Method {
    GetterMethod() {
        this.isPublic() and
        this.getName().matches("get%") and
        this.getNumberOfParameters() = 0
    }
}

\/\/ 在where条件中添加
where ...
and not exists(MethodAccess ma |
    ma.getMethod().getName() = sm.getName().replaceAll("set", "get") and
    ma.getEnclosingCallable() = bp.getCallable()
)
<\/code><\/pre>
3.3 完整CodeQL查询示例<\/h3>
import java
import semmle.code.java.dataflow.DataFlow

predicate isTargetType(RefType r) {
    r.getPackage().getName() = "org.linlinjava.litemall.db.domain" and
    r.getName().matches("Litemall%")
}

class BodyParameter extends Parameter {
    BodyParameter() {
        this.getAnAnnotation().getType().hasQualifiedName("org.springframework.web.bind.annotation", "RequestBody") and
        isTargetType(this.getType())
    }
}

class SetterMethod extends Method {
    SetterMethod() {
        this.isPublic() and
        this.getName().matches("set%") and
        this.getNumberOfParameters() = 1
    }
}

class GetterMethod extends Method {
    GetterMethod() {
        this.isPublic() and
        this.getName().matches("get%") and
        this.getNumberOfParameters() = 0
    }
}

class ServiceClass extends RefType {
    ServiceClass() {
        this.getName().matches("%Service") and
        this.getPackage().getName() = "org.linlinjava.litemall.db.service"
    }
}

from BodyParameter bp, SetterMethod sm
where 
    not exists(MethodAccess ma | 
        ma.getMethod() = sm and 
        ma.getEnclosingCallable() = bp.getCallable()
    ) and
    bp.getCallable().getDeclaringType().getASupertype*().hasQualifiedName("org.springframework.web.bind.annotation", "RestController") and
    exists(DataFlow::Node source, DataFlow::Node sink |
        DataFlow::localFlow(source, sink) and
        source.asExpr() = bp.getAnAccess() and
        sink.asExpr().(MethodAccess).getMethod().getDeclaringType() instanceof ServiceClass
    ) and
    not exists(MethodAccess ma |
        ma.getMethod().getName() = sm.getName().replaceAll("set", "get") and
        ma.getEnclosingCallable() = bp.getCallable()
    )
select bp, sm, "Potential mass assignment vulnerability: " + sm.getName()
<\/code><\/pre>
4. 实际漏洞案例：CVE-2025-6702<\/h2>
4.1 漏洞发现过程<\/h3>
通过上述CodeQL查询，发现以下关键点：<\/p>


setAdminContent<\/code>方法未被显式调用<\/p>

该字段为"管理员回复内容"<\/li>
攻击者可自行设置管理员回复<\/li>
<\/ul>
<\/li>

setDeleted<\/code>方法未被显式调用<\/p>

允许用户自删除自己的评论\/数据<\/li>
<\/ul>
<\/li>
<\/ol>
4.2 漏洞利用细节<\/h3>
攻击者可构造如下请求：<\/p>
POST<\/span> \/wx\/comment\/post<\/span>
<\/span><\/span>{
<\/span><\/span>    "content"<\/span>: "正常评论"<\/span>,
<\/span><\/span>    "adminContent"<\/span>: "伪造的管理员回复"<\/span>,
<\/span><\/span>    "deleted"<\/span>: false<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>通过修改adminContent<\/code>和deleted<\/code>字段，实现非预期的功能操作。<\/p>
5. 防御措施<\/h2>
5.1 最佳实践<\/h3>

显式设置敏感字段<\/strong>：在保存前显式设置不应由用户控制的字段<\/li>
使用DTO模式<\/strong>：创建专用的数据传输对象，仅包含允许用户设置的字段<\/li>
字段白名单<\/strong>：使用@JsonIgnoreProperties(ignoreUnknown = true)<\/code>或类似注解<\/li>
输入验证<\/strong>：对所有用户输入进行严格验证<\/li>
<\/ol>
5.2 Spring特定防御<\/h3>

使用@JsonView<\/code>控制序列化\/反序列化的字段<\/li>
实现WebDataBinder<\/code>自定义数据绑定规则<\/li>
使用@InitBinder<\/code>限制可绑定的字段<\/li>
<\/ol>
6. 总结<\/h2>
大量赋值漏洞是现代Web框架中常见的安全问题，特别是在使用自动绑定功能的框架如Spring中。通过CodeQL等静态分析工具，可以有效地发现这类漏洞。开发者应当始终遵循最小权限原则，显式控制哪些字段可以由用户设置，从而避免此类安全问题。<\/p>
7. 参考资源<\/h2>

OWASP API Security: Broken Object Property Level Authorization<\/li>
PortSwigger Web Security: Mass Assignment Vulnerabilities<\/li>
CodeQL for Java documentation<\/li>
OWASP Web Security Testing Guide: Testing for Mass Assignment<\/li>
<\/ol>

Spring框架中的大量赋值漏洞分析与CodeQL挖掘技术<\/h1>

1. 大量赋值漏洞概述<\/h2>

1.1 基本概念<\/h3> 大量赋值(Mass Assignment)漏洞是指后端为了简化开发流程，自动将请求参数绑定到后端对象的属性上，但开发者没有限制哪些字段可以被赋值，导致攻击者可能注入原本不应由用户控制的敏感字段。<\/p>

1.3 漏洞本质<\/h3> 后端接收了本不应暴露给用户的字段并进行处理，特别是当框架自动将请求参数绑定到对象属性时，如果没有适当的限制机制。<\/p>

2. Spring框架中的大量赋值漏洞<\/h2>

2.1 Spring框架简介<\/h3> Spring Framework是一个开源的Java应用程序开发框架，以其轻量级、模块化和强大的依赖注入(DI)与面向切面编程(AOP)特性而广受欢迎。<\/p>

2.3 漏洞示例分析<\/h3>

3. 使用CodeQL挖掘大量赋值漏洞<\/h2>

3.2 分析步骤详解<\/h3>

4. 实际漏洞案例：CVE-2025-6702<\/h2>

7. 参考资源<\/h2> OWASP API Security: Broken Object Property Level Authorization<\/li> PortSwigger Web Security: Mass Assignment Vulnerabilities<\/li> CodeQL for Java documentation<\/li> OWASP Web Security Testing Guide: Testing for Mass Assignment<\/li> <\/ol>

1.1 基本概念<\/h3>
大量赋值(Mass Assignment)漏洞是指后端为了简化开发流程，自动将请求参数绑定到后端对象的属性上，但开发者没有限制哪些字段可以被赋值，导致攻击者可能注入原本不应由用户控制的敏感字段。<\/p>

1.3 漏洞本质<\/h3>
后端接收了本不应暴露给用户的字段并进行处理，特别是当框架自动将请求参数绑定到对象属性时，如果没有适当的限制机制。<\/p>

2.1 Spring框架简介<\/h3>
Spring Framework是一个开源的Java应用程序开发框架，以其轻量级、模块化和强大的依赖注入(DI)与面向切面编程(AOP)特性而广受欢迎。<\/p>

7. 参考资源<\/h2>

OWASP API Security: Broken Object Property Level Authorization<\/li>
PortSwigger Web Security: Mass Assignment Vulnerabilities<\/li>
CodeQL for Java documentation<\/li>
OWASP Web Security Testing Guide: Testing for Mass Assignment<\/li> <\/ol>