A @RequestMapping
method handles all matching requests by default. That means that a method you intended only to be
POST
-ed to could also be called by a GET
, thereby allowing hackers to call the method inappropriately. For example a
"transferFunds" method might be invoked like so: <img
src="http://bank.com/actions/transferFunds?reciepientRouting=000000&receipientAccount=11111111&amount=200.00" width="1"
height="1"/>
For that reason, you should always explicitly list the single HTTP method with which you expect your @RequestMapping
Java method to be
called. This rule raises an issue when method
is missing and when the method
parameter is configured with more than one
verb. Mixing GET and POST verbs can lead to information leakage. It's easier to setup Spring Security’s CSRF protection when there is only one verb
per @RequestMapping
.
@RequestMapping("/greet") // Noncompliant public String greet(String greetee) { } @RequestMapping(path = "/delete", method = {RequestMethod.GET, RequestMethod.POST}) // Noncompliant String delete(@RequestParam("id") String id) { return "Hello from delete"; }
@RequestMapping("/greet", method = GET) public String greet(String greetee) { } @RequestMapping(path = "/delete", method = RequestMethod.GET) String delete(@RequestParam("id") String id) { return "Hello from delete"; }