Comments for Josh Bush

Comment on Mass Assignment Vulnerability in ASP.NET MVC by Ron Krauter

Ron Krauter — Mon, 23 Apr 2012 16:26:00 +0000

Brad Wilson has mentioned this in a post from two years.
http://bradwilson.typepad.com/blog/2010/01/input-validation-vs-model-validation-in-aspnet-mvc.html

Comment on Mass Assignment Vulnerability in ASP.NET MVC by Ron Krauter

Ron Krauter — Mon, 23 Apr 2012 16:26:00 +0000

http://bradwilson.typepad.com/blog/2010/01/input-validation-vs-model-validation-in-aspnet-mvc.html

Comment on Mass Assignment Vulnerability in ASP.NET MVC by The Pull Request » The Pull Request Episode 3

The Pull Request » The Pull Request Episode 3 — Tue, 13 Mar 2012 01:57:52 +0000

[...] The group discusses the Mass Assignment Vulnerability and Josh Bush’s blog post [...]

Comment on Mass Assignment Vulnerability in ASP.NET MVC by Rocky LIU

Rocky LIU — Fri, 09 Mar 2012 05:57:00 +0000

we should operate view model and data model .but take us lots of work for this convert.

Comment on Mass Assignment Vulnerability in ASP.NET MVC by About the mass assignment vulnerability in Asp.Net MVC framework « thewayofcode

Thu, 08 Mar 2012 10:51:11 +0000

[...] could actually happen using Asp.Net MVC model binding feature is explained very well in this blog article by Josh Bush, so I won’t repeat [...]

Comment on Mass Assignment Vulnerability in ASP.NET MVC by Yarx

Yarx — Tue, 06 Mar 2012 16:42:00 +0000

How do you handle the many mappings you’ll need to have in an app that uses Automapper, especially if they are being mapped to complex objects? Do you just define them as you need them or do you have them all defined in a central location

Comment on Mass Assignment Vulnerability in ASP.NET MVC by Josh Bush

Josh Bush — Tue, 06 Mar 2012 13:16:00 +0000

If you are using view specific models, you likely won’t need the Bind attribute. By binding only a subset, there should be no issue of overposting.

Comment on Mass Assignment Vulnerability in ASP.NET MVC by Josh Bush

Josh Bush — Tue, 06 Mar 2012 13:13:00 +0000

Yep, that’s exactly what I’m doing too. I mentioned it towards the end of the article: “The approach I typically take is to model bind to an object with only the properties I’m willing to accept.”

The point of this article was to just point out the parallels between Rails and ASP.NET MVC with this particular issue. I figure if it can affect a site like github, then it’s worth talking about.

Comment on Mass Assignment Vulnerability in ASP.NET MVC by Josh Bush

Josh Bush — Tue, 06 Mar 2012 13:10:00 +0000

Yep, it all boils down to just understanding the data. No framework can do that for us.

Comment on Mass Assignment Vulnerability in ASP.NET MVC by Steve Fenton

Steve Fenton — Tue, 06 Mar 2012 12:27:00 +0000

I agree – with the caveat / reminder that you only put stuff on the ViewModel that you actually need and you also need to think about what happens if you have “Id” on there – what if I change the Id to someone else’s Id etc.