rspec/rules/S3374/xml/rule.adoc

Having two form validation entries with the same name indicates a configuration
issue. Only one of the two configurations will be applied, which can lead to
validation gaps.

== Why is this an issue?

In Struts, form validation is used to validate the data the application's
clients provide as part of a form submission to the server. Configuring two
different form validations with the same name leads to unexpected behaviors.

When faced with multiple form validations with the same name, Struts will
arbitrarily choose one and apply it while discarding the others.

=== What is the potential impact?

The application might perform an incomplete validation of user-submitted forms.
Some parts of the validation configuration defined in discarded items will not
apply, which can have severe consequences if not duplicated in the applied one.

Missing input validation can make the application vulnerable to injection
attacks or other severe issues. They might affect the confidentiality,
integrity, or availability of the application or the data it stores.

== How to fix it

=== Code examples

==== Noncompliant code example

[source,xml,diff-id=1,diff-type=noncompliant]
----
<form-validation>
  <formset>
    <form name="BookForm"> ... </form>
    <form name="BookForm"> ... </form>  <!-- Noncompliant -->
  </formset>
</form-validation>
----


==== Compliant solution

[source,xml,diff-id=1,diff-type=compliant]
----
<form-validation>
  <formset>
    <form name="BookForm"> ... </form>
  </formset>
</form-validation>
----

=== How does this work?

Only one validation configuration should remain. Depending on what was
previously configured, one should either remove the useless validation entries 
or merge all of them into a single complete one.

== Resources

=== Standards

* CWE - https://cwe.mitre.org/data/definitions/102[CWE-102 - Struts: Duplicate Validation Forms]

=== Documentation

* Struts Documentation - https://svn.apache.org/repos/asf/struts/struts1/tags/STRUTS_1_1_B1/contrib/validator/docs/overview.html[Struts Validator]
* OWASP - https://owasp.org/www-community/vulnerabilities/Improper_Data_Validation[Improper Data Validation]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Rename this form; line x holds another form declaration with the same name.


=== Highlighting

* primary: second instance of form name
* secondary: original instance of form name
** message: original


'''
== Comments And Links
(visible only on this page)

=== on 12 Oct 2015, 14:49:34 Ann Campbell wrote:
in ``++validation.xml++``

=== on 19 Mar 2018, 11:04:46 Sébastien GIORIA - AppSecFR wrote:
According to [CWE-102], is a member of A1:2017 Injection.

=== on 29 May 2018, 17:07:01 Alexandre Gigleux wrote:
\[~SPoint] CWE-102 is saying "OWASP Top Ten 2004 Category A1 - Unvalidated Input" and there is no longer a category for "Unvalidated Input".

endif::env-github,rspecator-view[]
Modify S3374: Change text to LayC (APPSEC-1241) (#3371) 2023-10-27 09:29:39 +02:00			`Having two form validation entries with the same name indicates a configuration`
			`issue. Only one of the two configurations will be applied, which can lead to`
			`validation gaps.`

migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Why is this an issue?`

Modify S3374: Change text to LayC (APPSEC-1241) (#3371) 2023-10-27 09:29:39 +02:00			`In Struts, form validation is used to validate the data the application's`
			`clients provide as part of a form submission to the server. Configuring two`
			`different form validations with the same name leads to unexpected behaviors.`

			`When faced with multiple form validations with the same name, Struts will`
			`arbitrarily choose one and apply it while discarding the others.`

			`=== What is the potential impact?`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
Modify S3374: Change text to LayC (APPSEC-1241) (#3371) 2023-10-27 09:29:39 +02:00			`The application might perform an incomplete validation of user-submitted forms.`
			`Some parts of the validation configuration defined in discarded items will not`
			`apply, which can have severe consequences if not duplicated in the applied one.`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
Modify S3374: Change text to LayC (APPSEC-1241) (#3371) 2023-10-27 09:29:39 +02:00			`Missing input validation can make the application vulnerable to injection`
			`attacks or other severe issues. They might affect the confidentiality,`
			`integrity, or availability of the application or the data it stores.`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
Modify S3374: Change text to LayC (APPSEC-1241) (#3371) 2023-10-27 09:29:39 +02:00			`== How to fix it`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
Modify S3374: Change text to LayC (APPSEC-1241) (#3371) 2023-10-27 09:29:39 +02:00			`=== Code examples`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Modify S3374: Change text to LayC (APPSEC-1241) (#3371) 2023-10-27 09:29:39 +02:00			`==== Noncompliant code example`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
Modify S3374: Change text to LayC (APPSEC-1241) (#3371) 2023-10-27 09:29:39 +02:00			`[source,xml,diff-id=1,diff-type=noncompliant]`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`----`
			`<form-validation>`
			`<formset>`
			`<form name="BookForm"> ... </form>`
			`<form name="BookForm"> ... </form> <!-- Noncompliant -->`
			`</formset>`
			`</form-validation>`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Modify S3374: Change text to LayC (APPSEC-1241) (#3371) 2023-10-27 09:29:39 +02:00			`==== Compliant solution`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
Modify S3374: Change text to LayC (APPSEC-1241) (#3371) 2023-10-27 09:29:39 +02:00			`[source,xml,diff-id=1,diff-type=compliant]`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`----`
			`<form-validation>`
			`<formset>`
			`<form name="BookForm"> ... </form>`
			`</formset>`
			`</form-validation>`
			`----`

Modify S3374: Change text to LayC (APPSEC-1241) (#3371) 2023-10-27 09:29:39 +02:00			`=== How does this work?`

			`Only one validation configuration should remain. Depending on what was`
			`previously configured, one should either remove the useless validation entries`
			`or merge all of them into a single complete one.`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Resources`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
Modify S3374: Change text to LayC (APPSEC-1241) (#3371) 2023-10-27 09:29:39 +02:00			`=== Standards`

			`* CWE - https://cwe.mitre.org/data/definitions/102[CWE-102 - Struts: Duplicate Validation Forms]`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Modify S3374: Change text to LayC (APPSEC-1241) (#3371) 2023-10-27 09:29:39 +02:00			`=== Documentation`

			`* Struts Documentation - https://svn.apache.org/repos/asf/struts/struts1/tags/STRUTS_1_1_B1/contrib/validator/docs/overview.html[Struts Validator]`
			`* OWASP - https://owasp.org/www-community/vulnerabilities/Improper_Data_Validation[Improper Data Validation]`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Message`

			`Rename this form; line x holds another form declaration with the same name.`


			`=== Highlighting`

			`* primary: second instance of form name`
			`* secondary: original instance of form name`
			`** message: original`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00

RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== on 12 Oct 2015, 14:49:34 Ann Campbell wrote:`
			in ``++validation.xml++``

			`=== on 19 Mar 2018, 11:04:46 Sébastien GIORIA - AppSecFR wrote:`
			`According to [CWE-102], is a member of A1:2017 Injection.`

			`=== on 29 May 2018, 17:07:01 Alexandre Gigleux wrote:`
			`\[~SPoint] CWE-102 is saying "OWASP Top Ten 2004 Category A1 - Unvalidated Input" and there is no longer a category for "Unvalidated Input".`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`
Modify S3374: Change text to LayC (APPSEC-1241) (#3371) 2023-10-27 09:29:39 +02:00