rspec/rules/S4531/java/rule.adoc

Using setters in Struts 2 ActionSupport is security-sensitive. For example, their use has led in the past to the following vulnerabilities:

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1006[CVE-2012-1006]

All classes extending ``++com.opensymphony.xwork2.ActionSupport++`` are potentially remotely reachable. An action class extending ActionSupport will receive all HTTP parameters sent and these parameters will be automatically mapped to the setters of the Struts 2 action class. One should review the use of the fields set by the setters, to be sure they are used safely. By default, they should be considered as untrusted inputs.


== Ask Yourself Whether

* the setter is needed. There is no need for it if the attribute's goal is not to map queries' parameter.
* the value provided to the setter is properly sanitized before being used or stored. (*)

(*) You are at risk if you answered yes to this question.


== Recommended Secure Coding Practices

As said in Struts documentation: https://struts.apache.org/security/#do-not-define-setters-when-not-needed["Do not define setters when not needed"]

Sanitize the user input. This can be for example done by implementing the ``++validate()++`` method of ``++com.opensymphony.xwork2.ActionSupport++``.


== Sensitive Code Example

[source,java]
----
public class AccountBalanceAction extends ActionSupport {
  private static final long serialVersionUID = 1L;
  private Integer accountId;

  // this setter might be called with user input
  public void setAccountId(Integer accountId) {
    this.accountId = accountId;
  }

  @Override
  public String execute() throws Exception {
    // call a service to get the account's details and its balance
    [...]
    return SUCCESS;
  }
}
----


== See

* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Make sure that executing this ActionSupport is safe.


=== Highlighting

First: the ``++execute++`` method

Second: locations where the setters are defined.


'''
== Comments And Links
(visible only on this page)

=== is related to: S4529

=== on 26 Mar 2018, 20:52:10 Alexandre Gigleux wrote:
Struts 2 Examples: \https://github.com/apache/struts-examples


This rule should raise an issue if:

* the class is extending ``++com.opensymphony.xwork2.ActionSupport++``
* the class overrides the ``++execute++`` method
* the class is having at least one setter method

=== on 26 Mar 2018, 20:56:59 Alexandre Gigleux wrote:
This is a "Security Hotspot".

=== on 27 May 2020, 16:47:21 Eric Therond wrote:
Deprecated because it overlaps with SonarSecurity

endif::env-github,rspecator-view[]
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`Using setters in Struts 2 ActionSupport is security-sensitive. For example, their use has led in the past to the following vulnerabilities:`

			`* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1006[CVE-2012-1006]`

			All classes extending ``++com.opensymphony.xwork2.ActionSupport++`` are potentially remotely reachable. An action class extending ActionSupport will receive all HTTP parameters sent and these parameters will be automatically mapped to the setters of the Struts 2 action class. One should review the use of the fields set by the setters, to be sure they are used safely. By default, they should be considered as untrusted inputs.

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Ask Yourself Whether`

			`* the setter is needed. There is no need for it if the attribute's goal is not to map queries' parameter.`
			`* the value provided to the setter is properly sanitized before being used or stored. (*)`

			`(*) You are at risk if you answered yes to this question.`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Recommended Secure Coding Practices`

			`As said in Struts documentation: https://struts.apache.org/security/#do-not-define-setters-when-not-needed["Do not define setters when not needed"]`

			Sanitize the user input. This can be for example done by implementing the ``++validate()++`` method of ``++com.opensymphony.xwork2.ActionSupport++``.

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Sensitive Code Example`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`----`
			`public class AccountBalanceAction extends ActionSupport {`
			`private static final long serialVersionUID = 1L;`
			`private Integer accountId;`

			`// this setter might be called with user input`
			`public void setAccountId(Integer accountId) {`
			`this.accountId = accountId;`
			`}`

			`@Override`
			`public String execute() throws Exception {`
			`// call a service to get the account's details and its balance`
			`[...]`
			`return SUCCESS;`
			`}`
			`}`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== See`

Modify: Fix old/broken embedded links (#1100) 2022-07-08 13:58:56 +02:00			`* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Message`

			`Make sure that executing this ActionSupport is safe.`


			`=== Highlighting`

			First: the ``++execute++`` method

			`Second: locations where the setters are defined.`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00

RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== is related to: S4529`

			`=== on 26 Mar 2018, 20:52:10 Alexandre Gigleux wrote:`
			`Struts 2 Examples: \https://github.com/apache/struts-examples`


			`This rule should raise an issue if:`

			* the class is extending ``++com.opensymphony.xwork2.ActionSupport++``
			* the class overrides the ``++execute++`` method
			`* the class is having at least one setter method`

			`=== on 26 Mar 2018, 20:56:59 Alexandre Gigleux wrote:`
			`This is a "Security Hotspot".`

			`=== on 27 May 2020, 16:47:21 Eric Therond wrote:`
			`Deprecated because it overlaps with SonarSecurity`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`