Constrain Spring MVC data binding for domain objects
Binding request parameters directly into entity-like models without `setAllowedFields` / `@InitBinder` controls risks mass-assignment privilege escalation.
#Metadata
#Why it matters
Attackers can post unexpected fields (for example `role=admin`) that map onto persistent entities unless binding is explicitly allow-listed.
#Remediation
Prefer dedicated request DTOs, declare allowed fields explicitly, and avoid binding security-sensitive properties from raw requests.
#Repository path
The generated metadata points to critiq-rules/libs/rules/catalog/rules/java/java.security.spring-webmvc-unrestricted-data-binding.rule.yaml.