16f6c0aecf
Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in.
85 lines
2.6 KiB
Plaintext
85 lines
2.6 KiB
Plaintext
Using Struts 1 ActionForm is security-sensitive. For example, their use has led in the past to the following vulnerability:
|
|
|
|
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114[CVE-2014-0114]
|
|
|
|
All classes extending ``++org.apache.struts.action.Action++`` are potentially remotely reachable. The ``++ActionForm++`` object provided as a parameter of the ``++execute++`` method is automatically instantiated and populated with the HTTP parameters. One should review the use of these parameters to be sure they are used safely.
|
|
|
|
|
|
== Ask Yourself Whether
|
|
|
|
* some parameters of the ActionForm might not have been validated properly.
|
|
* dangerous parameter names are accepted. Example: accept a "class" parameter and use the form to populate JavaBean properties (see the CVE-2014-0114 above).
|
|
* there are unused fields which are not empty or undefined.
|
|
|
|
You are at risk if you answered to any of these questions.
|
|
|
|
|
|
== Recommended Secure Coding Practices
|
|
|
|
All ActionForm's properties should be validated, including their size. Whenever possible, filter the parameters with a whitelist of valid values. Otherwise, escape any sensitive character and constrain the values as much as possible.
|
|
|
|
|
|
Allow only non security-sensitive property names. All the ActionForm's property names should be whitelisted.
|
|
|
|
|
|
Unused fields should be constrained so that they are either empty or undefined.
|
|
|
|
|
|
|
|
== Sensitive Code Example
|
|
|
|
[source,java]
|
|
----
|
|
// Struts 1.1+
|
|
public final class CashTransferAction extends Action {
|
|
|
|
public String fromAccount = "";
|
|
public String toAccount = "";
|
|
|
|
public ActionForward execute(ActionMapping mapping, ActionForm form, HttpServletRequest req, HttpServletResponse res) throws Exception {
|
|
// usage of the "form" object to call some services doing JDBC actions
|
|
[...]
|
|
return mapping.findForward(resultat);
|
|
}
|
|
}
|
|
----
|
|
|
|
|
|
== See
|
|
|
|
* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection
|
|
* https://cwe.mitre.org/data/definitions/105[MITRE, CWE-105] - Struts Form Field Without Validator
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
Make sure that the ActionForm is used safely here.
|
|
|
|
|
|
=== Highlighting
|
|
|
|
First: the ``++perform++`` method for Struts 1.0 or the ``++execute++`` method for Struts 1.1+
|
|
|
|
Second: locations where the ``++ActionForm++`` object is used
|
|
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
=== is related to: S4529
|
|
|
|
=== on 26 Mar 2018, 20:56:54 Alexandre Gigleux wrote:
|
|
This is a "Security Finding".
|
|
|
|
=== on 27 May 2020, 16:47:34 Eric Therond wrote:
|
|
Deprecated because it overlaps with SonarSecurity
|
|
|
|
endif::env-github,rspecator-view[]
|