rspec/rules/S3355/xml/rule.adoc

This vulnerability exposes the application to failures of a wide range of
application-specific features the Strut filter was supposed to perform, such as
authentication, logging, encryption, and more.

== Why is this an issue?

Filters are used to intercept requests and responses from a server and allow
developers to manipulate them. When a `filter` is declared, but the
corresponding `filter assignment` is inadvertently not, then the code is
vulnerable to security problems or business logic instability.

If a filter is defined in the web application descriptor file `web.xml` but is
not used in a "filter mapping", this is an indication that it may have been
forgotten.

=== What is the potential impact?

If a filter is not used in a ``++<filter-mapping>++`` element, it will not be
called. Below are some examples of the impact of this oversight.

==== Unauthorized access

One of the main uses of Struts filters is to provide security measures such as
authentication and authorization. If a filter is forgotten in the filter
mappings, unauthorized users could gain access to sensitive data or perform
actions that they are not authorized to perform.

==== Functional problems

Filters can also be used to modify requests and responses, format data, or even
handle errors. If these features are not included in the filter mappings, they
may not work as expected, resulting in a poor user experience or even
application crash.

==== Performance issues

Some filters are designed to improve the performance of your application, such
as those that implement caching strategies. If these are not mapped, you may
experience slow response times or increased server load on your application.

== How to fix it

=== Code examples

==== Noncompliant code example

[source,xml,diff-id=1,diff-type=noncompliant]
----
<filter>
    <filter-name>ValidationFilter</filter-name> <!-- Noncompliant -->
    <filter-class>com.myco.servlet.ValidationFilter</filter-class>
</filter>
----

==== Compliant solution

[source,xml,diff-id=1,diff-type=compliant]
----
<filter>
    <filter-name>ValidationFilter</filter-name>
    <filter-class>com.myco.servlet.ValidationFilter</filter-class>
</filter>

<filter-mapping>
    <filter-name>ValidationFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
----

== Resources

=== Documentation

* Struts Docs - https://struts.apache.org/core-developers/web-xml[Web.xml Developpers Guide]

=== Standards

* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

* "xxx" filter should have a mapping.

'''

endif::env-github,rspecator-view[]
Modify S3355(xml): Migrate to LayC (#3370) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: Sebastien Andrivet <138577785+sebastien-andrivet-sonarsource@users.noreply.github.com> 2023-10-26 15:19:47 +02:00			`This vulnerability exposes the application to failures of a wide range of`
			`application-specific features the Strut filter was supposed to perform, such as`
			`authentication, logging, encryption, and more.`

migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Why is this an issue?`

Modify S3355(xml): Migrate to LayC (#3370) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: Sebastien Andrivet <138577785+sebastien-andrivet-sonarsource@users.noreply.github.com> 2023-10-26 15:19:47 +02:00			`Filters are used to intercept requests and responses from a server and allow`
			developers to manipulate them. When a `filter` is declared, but the
			corresponding `filter assignment` is inadvertently not, then the code is
			`vulnerable to security problems or business logic instability.`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
Modify S3355(xml): Migrate to LayC (#3370) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: Sebastien Andrivet <138577785+sebastien-andrivet-sonarsource@users.noreply.github.com> 2023-10-26 15:19:47 +02:00			If a filter is defined in the web application descriptor file `web.xml` but is
			`not used in a "filter mapping", this is an indication that it may have been`
			`forgotten.`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Modify S3355(xml): Migrate to LayC (#3370) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: Sebastien Andrivet <138577785+sebastien-andrivet-sonarsource@users.noreply.github.com> 2023-10-26 15:19:47 +02:00			`=== What is the potential impact?`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
Modify S3355(xml): Migrate to LayC (#3370) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: Sebastien Andrivet <138577785+sebastien-andrivet-sonarsource@users.noreply.github.com> 2023-10-26 15:19:47 +02:00			If a filter is not used in a ``++<filter-mapping>++`` element, it will not be
			`called. Below are some examples of the impact of this oversight.`

			`==== Unauthorized access`

			`One of the main uses of Struts filters is to provide security measures such as`
			`authentication and authorization. If a filter is forgotten in the filter`
			`mappings, unauthorized users could gain access to sensitive data or perform`
			`actions that they are not authorized to perform.`

			`==== Functional problems`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
Modify S3355(xml): Migrate to LayC (#3370) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: Sebastien Andrivet <138577785+sebastien-andrivet-sonarsource@users.noreply.github.com> 2023-10-26 15:19:47 +02:00			`Filters can also be used to modify requests and responses, format data, or even`
			`handle errors. If these features are not included in the filter mappings, they`
			`may not work as expected, resulting in a poor user experience or even`
			`application crash.`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Modify S3355(xml): Migrate to LayC (#3370) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: Sebastien Andrivet <138577785+sebastien-andrivet-sonarsource@users.noreply.github.com> 2023-10-26 15:19:47 +02:00			`==== Performance issues`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
Modify S3355(xml): Migrate to LayC (#3370) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: Sebastien Andrivet <138577785+sebastien-andrivet-sonarsource@users.noreply.github.com> 2023-10-26 15:19:47 +02:00			`Some filters are designed to improve the performance of your application, such`
			`as those that implement caching strategies. If these are not mapped, you may`
			`experience slow response times or increased server load on your application.`

			`== How to fix it`

			`=== Code examples`

			`==== Noncompliant code example`

			`[source,xml,diff-id=1,diff-type=noncompliant]`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`----`
Modify S3355(xml): Migrate to LayC (#3370) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: Sebastien Andrivet <138577785+sebastien-andrivet-sonarsource@users.noreply.github.com> 2023-10-26 15:19:47 +02:00			`<filter>`
			`<filter-name>ValidationFilter</filter-name> <!-- Noncompliant -->`
			`<filter-class>com.myco.servlet.ValidationFilter</filter-class>`
			`</filter>`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`----`

Modify S3355(xml): Migrate to LayC (#3370) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: Sebastien Andrivet <138577785+sebastien-andrivet-sonarsource@users.noreply.github.com> 2023-10-26 15:19:47 +02:00			`==== Compliant solution`

			`[source,xml,diff-id=1,diff-type=compliant]`
			`----`
			`<filter>`
			`<filter-name>ValidationFilter</filter-name>`
			`<filter-class>com.myco.servlet.ValidationFilter</filter-class>`
			`</filter>`

			`<filter-mapping>`
			`<filter-name>ValidationFilter</filter-name>`
			`<url-pattern>/*</url-pattern>`
			`</filter-mapping>`
			`----`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Resources`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
Modify S3355(xml): Migrate to LayC (#3370) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: Sebastien Andrivet <138577785+sebastien-andrivet-sonarsource@users.noreply.github.com> 2023-10-26 15:19:47 +02:00			`=== Documentation`

			`* Struts Docs - https://struts.apache.org/core-developers/web-xml[Web.xml Developpers Guide]`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Modify S3355(xml): Migrate to LayC (#3370) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: Sebastien Andrivet <138577785+sebastien-andrivet-sonarsource@users.noreply.github.com> 2023-10-26 15:19:47 +02:00			`=== Standards`

			`* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]`
			`* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Message`

			`* "xxx" filter should have a mapping.`

RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`