Using Struts 1 ActionForm is security-sensitive. For example, their use has led in the past to the following vulnerability:

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114[CVE-2014-0114]

All classes extending ``++org.apache.struts.action.Action++`` are potentially remotely reachable. The ``++ActionForm++`` object provided as a parameter of the ``++execute++`` method is automatically instantiated and populated with the HTTP parameters. One should review the use of these parameters to be sure they are used safely. 


== Ask Yourself Whether

* some parameters of the ActionForm might not have been validated properly.
* dangerous parameter names are accepted. Example: accept a "class" parameter and use the form to populate JavaBean properties (see the CVE-2014-0114 above).
* there are unused fields which are not empty or undefined.

You are at risk if you answered to any of these questions.


== Recommended Secure Coding Practices

All ActionForm's properties should be validated, including their size. Whenever possible, filter the parameters with a whitelist of valid values. Otherwise, escape any sensitive character and constrain the values as much as possible.


Allow only non security-sensitive property names. All the ActionForm's property names should be whitelisted.


Unused fields should be constrained so that they are either empty or undefined.



== Sensitive Code Example

[source,java]
----
// Struts 1.1+
public final class CashTransferAction extends Action {

  public String fromAccount = ""; 
  public String toAccount = "";

  public ActionForward execute(ActionMapping mapping, ActionForm form, HttpServletRequest req, HttpServletResponse res) throws Exception {
    // usage of the "form" object to call some services doing JDBC actions
    [...]
    return mapping.findForward(resultat);
  }
}
----


== See

* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection
* https://cwe.mitre.org/data/definitions/105[MITRE, CWE-105] - Struts Form Field Without Validator


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Make sure that the ActionForm is used safely here.


=== Highlighting

First: the ``++perform++`` method for Struts 1.0 or the ``++execute++`` method for Struts 1.1+

Second: locations where the ``++ActionForm++`` object is used


'''
== Comments And Links
(visible only on this page)

=== is related to: S4529

=== on 26 Mar 2018, 20:56:54 Alexandre Gigleux wrote:
This is a "Security Finding".

=== on 27 May 2020, 16:47:34 Eric Therond wrote:
Deprecated because it overlaps with SonarSecurity

endif::env-github,rspecator-view[]