rspec/rules/S4530/java/rule.adoc

Using Struts 1 ActionForm is security-sensitive. For example, their use has led in the past to the following vulnerability:

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114[CVE-2014-0114]

All classes extending ``++org.apache.struts.action.Action++`` are potentially remotely reachable. The ``++ActionForm++`` object provided as a parameter of the ``++execute++`` method is automatically instantiated and populated with the HTTP parameters. One should review the use of these parameters to be sure they are used safely. 


== Ask Yourself Whether

* some parameters of the ActionForm might not have been validated properly.
* dangerous parameter names are accepted. Example: accept a "class" parameter and use the form to populate JavaBean properties (see the CVE-2014-0114 above).
* there are unused fields which are not empty or undefined.

You are at risk if you answered to any of these questions.


== Recommended Secure Coding Practices

All ActionForm's properties should be validated, including their size. Whenever possible, filter the parameters with a whitelist of valid values. Otherwise, escape any sensitive character and constrain the values as much as possible.


Allow only non security-sensitive property names. All the ActionForm's property names should be whitelisted.


Unused fields should be constrained so that they are either empty or undefined.


= Noncompliant Code Example

----
// Struts 1.1+
public final class CashTransferAction extends Action {

  public String fromAccount = ""; 
  public String toAccount = "";

  public ActionForward execute(ActionMapping mapping, ActionForm form, HttpServletRequest req, HttpServletResponse res) throws Exception {
    // usage of the "form" object to call some services doing JDBC actions
    [...]
    return mapping.findForward(resultat);
  }
}
----


== See

* https://www.owasp.org/index.php/Top_10-2017_A1-Injection[OWASP Top 10 2017 Category A1] - Injection
* https://cwe.mitre.org/data/definitions/105.html[MITRE, CWE-105]: Struts Form Field Without Validator
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`Using Struts 1 ActionForm is security-sensitive. For example, their use has led in the past to the following vulnerability:`

			`* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114[CVE-2014-0114]`

			All classes extending ``++org.apache.struts.action.Action++`` are potentially remotely reachable. The ``++ActionForm++`` object provided as a parameter of the ``++execute++`` method is automatically instantiated and populated with the HTTP parameters. One should review the use of these parameters to be sure they are used safely.

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Ask Yourself Whether`

			`* some parameters of the ActionForm might not have been validated properly.`
			`* dangerous parameter names are accepted. Example: accept a "class" parameter and use the form to populate JavaBean properties (see the CVE-2014-0114 above).`
			`* there are unused fields which are not empty or undefined.`

			`You are at risk if you answered to any of these questions.`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Recommended Secure Coding Practices`

			`All ActionForm's properties should be validated, including their size. Whenever possible, filter the parameters with a whitelist of valid values. Otherwise, escape any sensitive character and constrain the values as much as possible.`


			`Allow only non security-sensitive property names. All the ActionForm's property names should be whitelisted.`


			`Unused fields should be constrained so that they are either empty or undefined.`



			`= Noncompliant Code Example`

			`----`
			`// Struts 1.1+`
			`public final class CashTransferAction extends Action {`

			`public String fromAccount = "";`
			`public String toAccount = "";`

			`public ActionForward execute(ActionMapping mapping, ActionForm form, HttpServletRequest req, HttpServletResponse res) throws Exception {`
			`// usage of the "form" object to call some services doing JDBC actions`
			`[...]`
			`return mapping.findForward(resultat);`
			`}`
			`}`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== See`

			`* https://www.owasp.org/index.php/Top_10-2017_A1-Injection[OWASP Top 10 2017 Category A1] - Injection`
			`* https://cwe.mitre.org/data/definitions/105.html[MITRE, CWE-105]: Struts Form Field Without Validator`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00