rspec/rules/S3374/xml/rule.adoc

== Why is this an issue?

According to the Common Weakness Enumeration,

____
If two validation forms have the same name, the Struts Validator arbitrarily chooses one of the forms to use for input validation and discards the other. This decision might not correspond to the programmer's expectations...
____


In such a case, it is likely that the two forms should be combined. At the very least, one should be removed.


=== Noncompliant code example

[source,xml]
----
<form-validation>
  <formset>
    <form name="BookForm"> ... </form>
    <form name="BookForm"> ... </form>  <!-- Noncompliant -->
  </formset>
</form-validation>
----


=== Compliant solution

[source,xml]
----
<form-validation>
  <formset>
    <form name="BookForm"> ... </form>
  </formset>
</form-validation>
----


== Resources

* https://cwe.mitre.org/data/definitions/102[MITRE, CWE-102] - Struts: Duplicate Validation Forms
* https://owasp.org/www-community/vulnerabilities/Improper_Data_Validation[OWASP, Improper Data Validation] - Struts: Duplicate Validation Forms


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Rename this form; line x holds another form declaration with the same name.


=== Highlighting

* primary: second instance of form name
* secondary: original instance of form name
** message: original


'''
== Comments And Links
(visible only on this page)

=== on 12 Oct 2015, 14:49:34 Ann Campbell wrote:
in ``++validation.xml++``

=== on 19 Mar 2018, 11:04:46 Sébastien GIORIA - AppSecFR wrote:
According to [CWE-102], is a member of A1:2017 Injection.




=== on 29 May 2018, 17:07:01 Alexandre Gigleux wrote:
\[~SPoint] CWE-102 is saying "OWASP Top Ten 2004 Category A1 - Unvalidated Input" and there is no longer a category for "Unvalidated Input".

endif::env-github,rspecator-view[]