2023-05-03 11:06:20 +02:00
== Why is this an issue?
2021-04-28 16:49:39 +02:00
According to the Common Weakness Enumeration,
____
If two validation forms have the same name, the Struts Validator arbitrarily chooses one of the forms to use for input validation and discards the other. This decision might not correspond to the programmer's expectations...
____
In such a case, it is likely that the two forms should be combined. At the very least, one should be removed.
2021-04-28 18:08:03 +02:00
2023-05-03 11:06:20 +02:00
=== Noncompliant code example
2021-04-28 16:49:39 +02:00
2022-02-04 17:28:24 +01:00
[source,xml]
2021-04-28 16:49:39 +02:00
----
<form-validation>
<formset>
<form name="BookForm"> ... </form>
<form name="BookForm"> ... </form> <!-- Noncompliant -->
</formset>
</form-validation>
----
2021-04-28 18:08:03 +02:00
2023-05-03 11:06:20 +02:00
=== Compliant solution
2021-04-28 16:49:39 +02:00
2022-02-04 17:28:24 +01:00
[source,xml]
2021-04-28 16:49:39 +02:00
----
<form-validation>
<formset>
<form name="BookForm"> ... </form>
</formset>
</form-validation>
----
2021-04-28 18:08:03 +02:00
2023-05-03 11:06:20 +02:00
== Resources
2021-04-28 16:49:39 +02:00
2022-04-07 08:53:59 -05:00
* https://cwe.mitre.org/data/definitions/102[MITRE, CWE-102] - Struts: Duplicate Validation Forms
2021-04-28 16:49:39 +02:00
* https://owasp.org/www-community/vulnerabilities/Improper_Data_Validation[OWASP, Improper Data Validation] - Struts: Duplicate Validation Forms
2021-04-28 18:08:03 +02:00
2021-06-02 20:44:38 +02:00
2021-06-03 09:05:38 +02:00
ifdef::env-github,rspecator-view[]
2021-09-20 15:38:42 +02:00
'''
== Implementation Specification
(visible only on this page)
include::message.adoc[]
include::highlighting.adoc[]
2021-06-08 15:52:13 +02:00
'''
2021-06-02 20:44:38 +02:00
== Comments And Links
(visible only on this page)
include::comments-and-links.adoc[]
2021-06-03 09:05:38 +02:00
endif::env-github,rspecator-view[]
