I have an ASP.NET MVC application that is calendar-like. As per the NerdDinner example, I’m updating the results of my edit page using UpdateMethod()
In my app, certain events are fully customizable and certain ones are only partially customizable. Even though the edit form for editing the partially customizable events only have those fields available, obviously someone could create their own form with the missing data and post to my site. If they do so, what’s to keep someone from changing any/all fields? Worse, what if they tried to change the id (primary key)?
It feels like UpdateModel() is vulnerable to very basic hacking. Are my fears legitimate or is there something I’m missing?
// POST: /MyEvents/Edit/2
[AcceptVerbs(HttpVerbs.Post), Authorize]
public ActionResult Edit(int id, FormCollection formValues)
{
MyEvent myevent = eventRepository.GetMyEvent(id);
try
{
UpdateModel(myevent);
eventRepository.Save();
return RedirectToAction("Details", new { id = myevent.MyEventId });
}
catch
{
ModelState.AddRuleViolations(myevent.GetRuleViolations());
return View(new MyEventFormViewModel(myevent));
}
}
You’re missing the section on “Model Binding Security”. You should always include a whitelist of properties that can be updated by any of your user input methods.
For example, from NerdDinner:
or if you’re calling UpdateModel, you can create a string array of allowed properties, and do
You can lock down the classes themselves so that only certain properties are updateable as well.