ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S4530/java/rule.adoc
pedro-oliveira-sonarsource 082b3ef269
Modify: Fix old/broken embedded links (#1100)
2022-07-08 13:58:56 +02:00

70 lines
2.3 KiB
Plaintext
Raw Blame History

Using Struts 1 ActionForm is security-sensitive. For example, their use has led in the past to the following vulnerability:
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114[CVE-2014-0114]
All classes extending ``++org.apache.struts.action.Action++`` are potentially remotely reachable. The ``++ActionForm++`` object provided as a parameter of the ``++execute++`` method is automatically instantiated and populated with the HTTP parameters. One should review the use of these parameters to be sure they are used safely.
== Ask Yourself Whether
* some parameters of the ActionForm might not have been validated properly.
* dangerous parameter names are accepted. Example: accept a "class" parameter and use the form to populate JavaBean properties (see the CVE-2014-0114 above).
* there are unused fields which are not empty or undefined.
You are at risk if you answered to any of these questions.
== Recommended Secure Coding Practices
All ActionForm's properties should be validated, including their size. Whenever possible, filter the parameters with a whitelist of valid values. Otherwise, escape any sensitive character and constrain the values as much as possible.
Allow only non security-sensitive property names. All the ActionForm's property names should be whitelisted.
Unused fields should be constrained so that they are either empty or undefined.
== Noncompliant Code Example
[source,java]
----
// Struts 1.1+
public final class CashTransferAction extends Action {
public String fromAccount = "";
public String toAccount = "";
public ActionForward execute(ActionMapping mapping, ActionForm form, HttpServletRequest req, HttpServletResponse res) throws Exception {
// usage of the "form" object to call some services doing JDBC actions
[...]
return mapping.findForward(resultat);
}
}
----
== See
* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection
* https://cwe.mitre.org/data/definitions/105[MITRE, CWE-105] - Struts Form Field Without Validator
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::message.adoc[]
include::highlighting.adoc[]
'''
== Comments And Links
(visible only on this page)
include::comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink