CWE-104: Struts: Form Bean Does Not Extend Validation Class
Struts: Form Bean Does Not Extend Validation Class
Weakness ID: 104 (Weakness Variant)
Status: Draft
Description
Description Summary
If a form bean does not extend an ActionForm subclass of the Validator framework, it can expose the application to other weaknesses related to insufficient input validation.
Time of Introduction
Implementation
Applicable Platforms
Languages
Java
Common Consequences
Scope
Effect
Technical Impact: Other
Bypassing the validation framework for a form exposes the application
to numerous types of attacks. Unchecked input is an important component
of vulnerabilities like cross-site scripting, process control, and SQL
injection.
Technical Impact: Other
Although J2EE applications are not generally susceptible to memory
corruption attacks, if a J2EE application interfaces with native code
that does not perform array bounds checking, an attacker may be able to
use an input validation mistake in the J2EE application to launch a
buffer overflow attack.
Demonstrative Examples
Example 1
In the following Java example the class RegistrationForm is a Struts
framework ActionForm Bean that will maintain user information from a
registration webpage for an online business site. The user will enter
registration data and through the Struts framework the RegistrationForm bean
will maintain the user data.
(Bad Code)
Example
Language: Java
public class RegistrationForm extends
org.apache.struts.action.ActionForm {
// private variables for registration form
private String name;
private String email;
...
public RegistrationForm() {
super();
}
// getter and setter methods for private variables
...
}
However, the RegistrationForm class extends the Struts ActionForm
class which does not allow the RegistrationForm class to use the Struts
validator capabilities. When using the Struts framework to maintain user
data in an ActionForm Bean, the class should always extend one of the
validator classes, ValidatorForm, ValidatorActionForm, DynaValidatorForm
or DynaValidatorActionForm. These validator classes provide default
validation and the validate method for custom validation for the Bean
object to use for validating input data. The following Java example
shows the RegistrationForm class extending the ValidatorForm class and
implementing the validate method for validating input data.
(Good Code)
Example
Language: Java
public class RegistrationForm extends
org.apache.struts.validator.ValidatorForm {
// private variables for registration form
private String name;
private String email;
...
public RegistrationForm() {
super();
}
public ActionErrors validate(ActionMapping mapping,
HttpServletRequest request) {...}
// getter and setter methods for private variables
...
}
Note that the ValidatorForm class itself extends the ActionForm class
within the Struts framework API.
Potential Mitigations
Phase: Implementation
Ensure that all forms extend one of the Validation Classes.
Background Details
In order to use the Struts Validator, a form must extend one of the
following: ValidatorForm, ValidatorActionForm, DynaValidatorActionForm, and
DynaValidatorForm. You must extend one of these classes because the Struts
Validator ties in to your application by implementing the validate() method
in these classes. Forms derived from the ActionForm and DynaActionForm
classes cannot use the Struts Validator.
Weakness Ordinalities
Ordinality
Description
(where
the weakness exists independent of other weaknesses)
Description
