Using Struts 1 ActionForm is security-sensitive. For example, their use has led in the past to the following vulnerability:

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114[CVE-2014-0114]

All classes extending ``++org.apache.struts.action.Action++`` are potentially remotely reachable. The ``++ActionForm++`` object provided as a parameter of the ``++execute++`` method is automatically instantiated and populated with the HTTP parameters. One should review the use of these parameters to be sure they are used safely. 

== Ask Yourself Whether

* some parameters of the ActionForm might not have been validated properly.
* dangerous parameter names are accepted. Example: accept a "class" parameter and use the form to populate JavaBean properties (see the CVE-2014-0114 above).
* there are unused fields which are not empty or undefined.

You are at risk if you answered to any of these questions.

== Recommended Secure Coding Practices

All ActionForm's properties should be validated, including their size. Whenever possible, filter the parameters with a whitelist of valid values. Otherwise, escape any sensitive character and constrain the values as much as possible.


Allow only non security-sensitive property names. All the ActionForm's property names should be whitelisted.


Unused fields should be constrained so that they are either empty or undefined.



= Noncompliant Code Example

----
// Struts 1.1+
public final class CashTransferAction extends Action {

  public String fromAccount = ""; 
  public String toAccount = "";

  public ActionForward execute(ActionMapping mapping, ActionForm form, HttpServletRequest req, HttpServletResponse res) throws Exception {
    // usage of the "form" object to call some services doing JDBC actions
    [...]
    return mapping.findForward(resultat);
  }
}
----

== See

* https://www.owasp.org/index.php/Top_10-2017_A1-Injection[OWASP Top 10 2017 Category A1] - Injection
* https://cwe.mitre.org/data/definitions/105.html[MITRE, CWE-105]: Struts Form Field Without Validator