This vulnerability exposes the application to failures of a wide range of
application-specific features the Strut filter was supposed to perform, such as
authentication, logging, encryption, and more.

== Why is this an issue?

Filters are used to intercept requests and responses from a server and allow
developers to manipulate them. When a `filter` is declared, but the
corresponding `filter assignment` is inadvertently not, then the code is
vulnerable to security problems or business logic instability.

If a filter is defined in the web application descriptor file `web.xml` but is
not used in a "filter mapping", this is an indication that it may have been
forgotten.

=== What is the potential impact?

If a filter is not used in a ``++<filter-mapping>++`` element, it will not be
called. Below are some examples of the impact of this oversight.

==== Unauthorized access

One of the main uses of Struts filters is to provide security measures such as
authentication and authorization. If a filter is forgotten in the filter
mappings, unauthorized users could gain access to sensitive data or perform
actions that they are not authorized to perform.

==== Functional problems

Filters can also be used to modify requests and responses, format data, or even
handle errors. If these features are not included in the filter mappings, they
may not work as expected, resulting in a poor user experience or even
application crash.

==== Performance issues

Some filters are designed to improve the performance of your application, such
as those that implement caching strategies. If these are not mapped, you may
experience slow response times or increased server load on your application.

== How to fix it

=== Code examples

==== Noncompliant code example

[source,xml,diff-id=1,diff-type=noncompliant]
----
<filter>
    <filter-name>ValidationFilter</filter-name> <!-- Noncompliant -->
    <filter-class>com.myco.servlet.ValidationFilter</filter-class>
</filter>
----

==== Compliant solution

[source,xml,diff-id=1,diff-type=compliant]
----
<filter>
    <filter-name>ValidationFilter</filter-name>
    <filter-class>com.myco.servlet.ValidationFilter</filter-class>
</filter>

<filter-mapping>
    <filter-name>ValidationFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
----

== Resources

=== Documentation

* Struts Docs - https://struts.apache.org/core-developers/web-xml[Web.xml Developpers Guide]

=== Standards

* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

* "xxx" filter should have a mapping.

'''

endif::env-github,rspecator-view[]