ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S4530/java/rule.adoc
Arseniy Zaostrovnykh a6e4582881 Fix the missing default metadata fields
2021-04-28 18:08:03 +02:00

52 lines
2.0 KiB
Plaintext
Raw Blame History

Using Struts 1 ActionForm is security-sensitive. For example, their use has led in the past to the following vulnerability:
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114[CVE-2014-0114]
All classes extending ``++org.apache.struts.action.Action++`` are potentially remotely reachable. The ``++ActionForm++`` object provided as a parameter of the ``++execute++`` method is automatically instantiated and populated with the HTTP parameters. One should review the use of these parameters to be sure they are used safely.
== Ask Yourself Whether
* some parameters of the ActionForm might not have been validated properly.
* dangerous parameter names are accepted. Example: accept a "class" parameter and use the form to populate JavaBean properties (see the CVE-2014-0114 above).
* there are unused fields which are not empty or undefined.
You are at risk if you answered to any of these questions.
== Recommended Secure Coding Practices
All ActionForm's properties should be validated, including their size. Whenever possible, filter the parameters with a whitelist of valid values. Otherwise, escape any sensitive character and constrain the values as much as possible.
Allow only non security-sensitive property names. All the ActionForm's property names should be whitelisted.
Unused fields should be constrained so that they are either empty or undefined.
= Noncompliant Code Example
----
// Struts 1.1+
public final class CashTransferAction extends Action {
public String fromAccount = "";
public String toAccount = "";
public ActionForward execute(ActionMapping mapping, ActionForm form, HttpServletRequest req, HttpServletResponse res) throws Exception {
// usage of the "form" object to call some services doing JDBC actions
[...]
return mapping.findForward(resultat);
}
}
----
== See
* https://www.owasp.org/index.php/Top_10-2017_A1-Injection[OWASP Top 10 2017 Category A1] - Injection
* https://cwe.mitre.org/data/definitions/105.html[MITRE, CWE-105]: Struts Form Field Without Validator
Reference in New Issue View Git Blame Copy Permalink