Sponsored by Gluten Free Waffles and Sliced Bananas

Thursday, March 25, 2010

MVC: Model Binding Security

4:04 PM Posted by Tyson Nero No comments
If you want to limit what model properties can be updated from the controller, use the [Bind] attribute. You can the Bind attribute's Include and Exclude propeties to controls what properties are bindable.

Lock down model binding at the per-usage level:
  1. Create an array of allowed properties
  2. Call UpdateModel passing in your model object and the array of allowed properties
string[] allowedProperties = new[] {"Property1", "Property2"};

UpdateModel(modelObject, allowedProperties);
OR
  1. Add the [Bind] attribute to object passed into your action method
  2. Use the Include or Exclude property to control the bindable model properties
public ActionResult Create([Bind(Include="Property1,Property2")] ModelObject modelObject) 
{
    ...
}
Lock down model binding at the type level for all scenarios:
  1.  Add the [Bind] attribute to a particular interface or class
  2. Use the Include or Exclude property to control the bindable model properties
[Bind(Include="Property1,Property2")]
public partial class ModelObject
{
    ...
}
OR
  1. Register the [Bind] attribute within the Global.asax file when you don't have access to the type definition.

0 comments:

Post a Comment