model binding in asp.net mvc
DESCRIPTION
A quick overview of how to secure your model binding in ASP.NET MVCTRANSCRIPT
- 1. Tightly binding your model(Part of a series on ASP.NET MVC
Security)
Barry Dorrans
MVP Developer Security
2. Introduction
The ModelA class that encapsulates data and represents a business
entity, for example an Order.
The ViewThe user interface into an application.
The ControllerManages communication between the UI and the
model.
3. Binding
Binding takes input from a view and applies it to a model.
For example
A view contains a field called PostCode
The model has a public get/set property called PostCode
Binding uses the PostCode property on the model to render onto the
view and takes the returned PostCode input value and sets the
property on the Model.
4. The Problem
What if I add a field during form submission that has a property
name matching that of the model? ....
5. The Solution - FormDataCollection
If your actions take FromDataCollections pass a string array of
allowed bindable property names e.g.UpdateModel(boardPost,
new[]{"Title","Content","Rating"});
6. The Solution Model Actions
If your actions take an instance of a model object then set the
bind attribute in your method definition
e.g.[AcceptVerbs(HttpVerbs.Post)]public ActionResult
Edit([Bind(Include = "Title,Content")]BoardPostboardPost)
7. The Solution Model Based
You can also apply the Bind attribute to your model classes but
this applies to all binding calls, which can be
limiting.[Bind(Include="Title,Content")]public class
BoardPosting{}
8. The Solution General
Create a view specific model which has protected properties which
are not bindable.
Or be really nasty and create a custom binder. Propeller hats
needed.
You can also exclude rather than include white listing is more
secureExcludes may be suitable for model level
restrictions.