Prevent field from being bound

[bitflipp]

Is there a way (e. g. using a magic tag value like encoding/json allows) to prevent a field from being bound?

type Thing struct {
     ShouldBeBound    string `form:"should_be_bound"`
     ShouldNotBeBound string `form:"-"`
}

[aldas]

First of all. You really should not bind to struct that have have fields that must not be filled. This potentially opens you for security risks. Especially if you are dealing with JSON which uses standard library implementation that will bind to public fields ("captitalized names") that do not have "json" tag.

https://echo.labstack.com/guide/binding/ has this note

To avoid security flaws try to avoid passing bound structs directly to other methods if these structs contain fields that should not be bindable. It is advisable to have separate struct for binding and map it explicitly to your business struct. Consider what will happen if your bound struct has public field IsAdmin bool and request body would contain {IsAdmin: true, Name: "hacker"}.

You may want to read this #1670 (comment)

---

What version are you using? Since version v4.2.0 binder should not bind to fields that does not have explicit tag on field.

So if you remove the tag. it should be enough

// curl -v -F "should_be_bound=test" -F "ShouldNotBeBound=nope" http://localhost:8080/
func main() {
	e := echo.New()

	e.POST("/", func(c echo.Context) error {
		type Thing struct {
			ShouldBeBound    string `form:"should_be_bound"`
			ShouldNotBeBound string // `form:"-"`
		}

		fields := Thing{}
		if err := c.Bind(&fields); err != nil {
			return err
		}

		log.Printf("%+v\n", fields)
		return c.String(http.StatusOK, "OK\n")
	})

	log.Fatal(e.Start(":8080"))
}

Should log something like that

2021/10/12 22:34:30 {ShouldBeBound:test ShouldNotBeBound:}

[bitflipp]

Very insightful, thanks.