ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S4531/java/rule.adoc
pedro-oliveira-sonarsource 082b3ef269
Modify: Fix old/broken embedded links (#1100)
2022-07-08 13:58:56 +02:00

67 lines
2.1 KiB
Plaintext
Raw Blame History

Using setters in Struts 2 ActionSupport is security-sensitive. For example, their use has led in the past to the following vulnerabilities:
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1006[CVE-2012-1006]
All classes extending ``++com.opensymphony.xwork2.ActionSupport++`` are potentially remotely reachable. An action class extending ActionSupport will receive all HTTP parameters sent and these parameters will be automatically mapped to the setters of the Struts 2 action class. One should review the use of the fields set by the setters, to be sure they are used safely. By default, they should be considered as untrusted inputs.
== Ask Yourself Whether
* the setter is needed. There is no need for it if the attribute's goal is not to map queries' parameter.
* the value provided to the setter is properly sanitized before being used or stored. (*)
(*) You are at risk if you answered yes to this question.
== Recommended Secure Coding Practices
As said in Struts documentation: https://struts.apache.org/security/#do-not-define-setters-when-not-needed["Do not define setters when not needed"]
Sanitize the user input. This can be for example done by implementing the ``++validate()++`` method of ``++com.opensymphony.xwork2.ActionSupport++``.
== Noncompliant Code Example
[source,java]
----
public class AccountBalanceAction extends ActionSupport {
private static final long serialVersionUID = 1L;
private Integer accountId;
// this setter might be called with user input
public void setAccountId(Integer accountId) {
this.accountId = accountId;
}
@Override
public String execute() throws Exception {
// call a service to get the account's details and its balance
[...]
return SUCCESS;
}
}
----
== See
* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::message.adoc[]
include::highlighting.adoc[]
'''
== Comments And Links
(visible only on this page)
include::comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink