Using Struts 1 ActionForm is security-sensitive. For example, their use has led in the past to the following vulnerability: * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114[CVE-2014-0114] All classes extending ``++org.apache.struts.action.Action++`` are potentially remotely reachable. The ``++ActionForm++`` object provided as a parameter of the ``++execute++`` method is automatically instantiated and populated with the HTTP parameters. One should review the use of these parameters to be sure they are used safely. == Ask Yourself Whether * some parameters of the ActionForm might not have been validated properly. * dangerous parameter names are accepted. Example: accept a "class" parameter and use the form to populate JavaBean properties (see the CVE-2014-0114 above). * there are unused fields which are not empty or undefined. You are at risk if you answered to any of these questions. == Recommended Secure Coding Practices All ActionForm's properties should be validated, including their size. Whenever possible, filter the parameters with a whitelist of valid values. Otherwise, escape any sensitive character and constrain the values as much as possible. Allow only non security-sensitive property names. All the ActionForm's property names should be whitelisted. Unused fields should be constrained so that they are either empty or undefined. == Noncompliant Code Example [source,java] ---- // Struts 1.1+ public final class CashTransferAction extends Action { public String fromAccount = ""; public String toAccount = ""; public ActionForward execute(ActionMapping mapping, ActionForm form, HttpServletRequest req, HttpServletResponse res) throws Exception { // usage of the "form" object to call some services doing JDBC actions [...] return mapping.findForward(resultat); } } ---- == See * https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection * https://cwe.mitre.org/data/definitions/105[MITRE, CWE-105] - Struts Form Field Without Validator ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) include::message.adoc[] include::highlighting.adoc[] ''' == Comments And Links (visible only on this page) include::comments-and-links.adoc[] endif::env-github,rspecator-view[]