Java Developer Tools

Audit - Rules - Struts

Description
This group contains audit rules that look for code that violates the best practices specified for programs using the Struts framework.

Rules:

Details

Action Field Revalidated

Summary
Only one <field-validator> should be declared for one action field.

Description
This audit rule violates <field-validator> declarations that repeat more than once for one action field.

Security Implications
When action field validator is declared more than once for one action field this could lead to an unexpected behavior or failure to validate the user input properly that could possibly allow an attacker to perform some kind of remote attack on a system.

Example
The following declaration in MyAction-validation.xml declares validator for the field name twice and would thus be marked as violation:it results in an found bind:

    <field name="name">
        <field-validator type="required">
            <message>Name is required.</message>
        </field-validator>
        <field-validator type="required">
            <message>Please enter your name.</message>
        </field-validator>
    </field>

Action Revalidated

Summary
Only one ActionName-validation.xml file should be declared for one action.

Description
This audit rule violates ActionName-validation.xml declarations that are found more than once in the project.

Security Implications
When an action validator is declared more than once for one action, this could lead to an unexpected behavior or failure to validate the user input properly which could possibly allow an attacker to perform some kind of remote attack on a system.

Example
A validation file MyAction-validation.xml for MyAction that is present in more than one place in the project will be marked as a violation.

Class Should Define Validate Method

Summary
If a class extends org.apache.struts.action.ActionForm, it must define a validate method.

Description
This audit rule looks for subclasses of ActionForm that do not implement a validate method. The validate method is the standard mechanism for a Struts framework to validate fields.

Security Implications
Fields that are not validated are security problem number one for web applications. Failing to validate fields can lead to many security vulnerabilities such as SQL injections and Cross-site scripting.

Example
The following class would be flagged as a violation because the class in this example doesn't define validate method:

    class MyClass extends ActionForm
    {
            ...
    }
    

Class Should Have Final Static Fields

Summary
If a class extends org.apache.struts.action.ActionForm, it must not contains non-final static fields.

Description
This audit rule looks for subclasses of ActionForm that define non-final static fields.

Security Implications
Non-final static fields can be changed by different instances of the form at the same time (on different threads), or between the time of change and the time of use. This fact can provide an opportunity for malicious code to make unsafe changes even if the field is private.

Example
The following field would be flagged as a violation because it is static but is not final:

    class MyClass extends ActionForm
    {
            public static String testStr = "Value";
    }

Class Should Have Private Fields

Summary
If a class extends org.apache.struts.action.ActionForm, it must contain only private fields.

Description
This audit rule looks for subclasses of ActionForm that define non-private fields that are accessed by getters and setters. The setter method should be used only by the framework; setting an action form field from other actions is bad practice and should be avoided.

Security Implications
Non-private fields can be accessed in a way that avoids validation and creates an invalid state for the Form object. This can be used by malicious code to create unexpected and unintended behavior.

Example
The following field would be flagged as a violation because it is not private:

    class MyClass extends ActionForm
    {
            public static testStr = "Value";
    }
    

Class Should Validate All Fields

Summary
If a class extends org.apache.struts.action.ActionForm, it should validate all of the fields it declares.

Description
This audit rule looks for subclasses of ActionForm in which the validate method does not validate all of the fields defined by the class.

Security Implications
Unvalidated fields is the number one security issue for web-applications. Unvalidated fields can lead to many security vulnerabilities such as SQL Injections and Cross Site scripting.

Example
The following class would be flagged as a violation because the field count is not validated by validate method.

    class MyClass extends ActionForm
    {
        private testStr = "Value";
        private int count;

        public ActionErrors validate(ActionMapping map,
                        ServletRequest req)        {
            ActionErrors err ActionErroes();
            if (testStr == null) {
                err.add(ActionErrors.GLOBAL_MESSAGE,
                                new ActionMessage("testStr is null"));
            }
            return super(map, req);
        }
    }
    

Missing reset() Method

Summary
Struts ActionForm subclasses should implement the reset() method.

Description
This audit rule finds ActionForm subclasses that do not implement the reset() method.

Security Implications
If some fields are not reset, they can have old values which can be used by an attacker.

Example
The following class declaration would be flagged as a violation because it does not declare a reset() method:

    public class SomeForm extends ActionForm { }

Missing Validator Name

Summary
All validators used in validation logic should be declared in validators.xml configuration file.

Description
This audit rule finds and violates the usages of validators whose type is not declared in validators.xml.

Security Implications
The absence of a declaration of a validator used is a sign of a faulty approach to secure validation all other the application. Validation logic should be kept up to date.

Example
The following customBarFieldValidation validator usage whould be marked as violation if the corresponding validator is not declared in validators.xml configuration file:

    <validators>
        <field name="bar">
                <field-validator type="customBarFieldValidation">
                        <message>You must enter a value for bar.</message>
                </field-validator>
        </field>
    </validators>

No Action For Validation

Summary
Abandoned validation file is a sign that validation of the actions is not properly handled.

Description
A validation file without a corresponding action could be a result of an action renaming, when developer forgot to rename a validation file.

Security Implications
It indicates problems in the validation of the actions, that should be treated.

Example
When file AddItem-validation.xml is found with no corresponding action in struts.xml, the violation is created. The proper action declaration in this case would look like this:

    <struts>
        ...
        <package name="sample" namespace="/sample" extends="struts-default">
            <action name="AddItem" class="my.sample.AddItemAction">
                <result>/pages/AddItem.jsp</result>
            </action>
        </package>
        ...
    </struts>

No Such Field For Validation

Summary
Abandoned field validation is a sign that validation of the actions is not properly handled.

Description
A field validation declared without a corresponding field in the action class could be a result of a field being renamed, when the developer forgot to replace the field name in a validation file.

Security Implications
It indicates problems in the validation of the actions, that should be treated.

Example
Let there be a Struts form class, PostForm, that declares two fields, title and message. The following entry in the file PostForm-validation.xml will lead to a violation because it validates a non-existent field:

    <field name="name">
        <field-validator type="requiredstring">
            <message>You must enter a name</message>
        </field-validator>
    </field>

Same Validator Name

Summary
Duplicating validator names cause errors in validation process.

Description
This audit rule violates declarations of a validators with the same name attribute.

Security Implications
From two validators with the same name only one will be executed. Duplicating validator names is usually a sign that validation in the application is out of order and should be fixed. Failing in doing so will allow the attacker to inject some kind of invalid data into application.

Example
The following validators.xml configuration contains two declared validators with the same name; these declarations would be violated:

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE validators PUBLIC "-//OpenSymphony Group//XWork Validator Config 1.0//EN" "http://www.opensymphony.com/xwork/xwork-validator-config-1.0.dtd">
    <validators>
        <validator name="custom" class="org.some.validation.old.CustomValidator1"/>
        <validator name="custom" class="org.some.validation.new.CustomValidator2"/>
    </validators>

Unvalidated Action Field

Summary
All fields of a Struts2 action should be validated even if some of them are unused.

Description
In situations when one Struts2 action class is used in several forms and each form uses a subset of the classes fields it is a common mistake to validate only those fields which are used in a given form.

Security Implications
This may allow an attacker to inject unvalidated input into your application. Thus, all fields of a form should be validated even if some of them are unused.

Example
Let there be a Struts2 action class, QuizAction, that declares three fields, name, age and answer. The following entry in the QuizAction-validation.xml will lead to a violation because it validates only two of them:

    <validators>
        <field name="name">
            <field-validator type="requiredstring">
                <message>You must enter a name</message>
            </field-validator>
        </field>
        <field name="age">
            <field-validator type="int">
                <param name="min">13</param>
                <param name="max">19</param>
                <message>Only people ages 13 to 19 may take this quiz</message>
            </field-validator>
        </field>
    </validators>

Unvalidated Action Form Field

Summary
All fields of a Struts action form should be validated even if some of them are unused.

Description
In situations when one Struts action form class is used in several forms and each form uses a subset of the classes fields it is a common mistake to validate only those fields which are used in a given form.

Security Implications
This may allow an attacker to inject unvalidated input into your application. Thus, all fields of a form should be validated even if some of them are unused.

Example
Let there be a Struts form class, QuizAction, that declares three fields, name, age and answer. The following entry in the validation.xml will lead to a violation because it validates only two of them:

    <form name="quizForm">
        <field property="name" depends="required">
            <arg key="quizForm.name"/>
        </field>
        <field property="age" depends="required">
            <arg key="quizForm.age"/>
        </field>
    </form>

Validation Not Enabled

Authentication required

You need to be signed in with Google+ to do that.

Signing you in...

Google Developers needs your permission to do that.