Audit - Rules - StrutsDescriptionThis group contains audit rules that look for code that violates the best practices specified for programs using the Struts framework. |
Rules:
|
Summary
Only one <field-validator>
should be declared for one action field.
Description
This audit rule violates <field-validator>
declarations that repeat more than once for one action field.
Security Implications
When action field validator is declared more than once for one action field this could lead to an unexpected behavior or failure to validate the user input properly that could possibly allow an attacker to perform some kind of remote attack on a system.
Example
The following declaration in MyAction-validation.xml
declares validator for the field name
twice and would thus be marked as violation:it results in an found bind:
<field name="name">
<field-validator type="required">
<message>Name is required.</message>
</field-validator>
<field-validator type="required">
<message>Please enter your name.</message>
</field-validator>
</field>
Summary
Only one ActionName-validation.xml
file should be declared for one action.
Description
This audit rule violates ActionName-validation.xml
declarations that are found more than once in the project.
Security Implications
When an action validator is declared more than once for one action, this could lead to an unexpected behavior or failure to validate the user input properly which could possibly allow an attacker to perform some kind of remote attack on a system.
Example
A validation file MyAction-validation.xml
for MyAction that is present in more than one place in the project will be marked as a violation.
Summary
If a class extends org.apache.struts.action.ActionForm
, it must define a validate
method.
Description
This audit rule looks for subclasses of ActionForm
that do not implement a validate
method. The validate method is the standard mechanism for a Struts framework to validate fields.
Security Implications
Fields that are not validated are security problem number one for web applications. Failing to validate fields can lead to many security vulnerabilities such as SQL injections and Cross-site scripting.
Example
The following class would be flagged as a violation because the class in this example doesn't define validate
method:
class MyClass extends ActionForm
{
...
}
Summary
If a class extends org.apache.struts.action.ActionForm
, it must not contains non-final static fields.
Description
This audit rule looks for subclasses of ActionForm
that define non-final static fields.
Security Implications
Non-final static fields can be changed by different instances of the form at the same time (on different threads), or between the time of change and the time of use. This fact can provide an opportunity for malicious code to make unsafe changes even if the field is private.
Example
The following field would be flagged as a violation because it is static but is not final:
class MyClass extends ActionForm
{
public static String testStr = "Value";
}
Summary
If a class extends org.apache.struts.action.ActionForm
, it must contain only private fields.
Description
This audit rule looks for subclasses of ActionForm
that define non-private fields that are accessed by getters and setters. The setter method should be used only by the framework; setting an action form field from other actions is bad practice and should be avoided.
Security Implications
Non-private fields can be accessed in a way that avoids validation and creates an invalid state for the Form object. This can be used by malicious code to create unexpected and unintended behavior.
Example
The following field would be flagged as a violation because it is not private:
class MyClass extends ActionForm
{
public static testStr = "Value";
}
Summary
If a class extends org.apache.struts.action.ActionForm
, it should validate all of the fields it declares.
Description
This audit rule looks for subclasses of ActionForm
in which the validate method does not validate all of the fields defined by the class.
Security Implications
Unvalidated fields is the number one security issue for web-applications. Unvalidated fields can lead to many security vulnerabilities such as SQL Injections and Cross Site scripting.
Example
The following class would be flagged as a violation because the field count
is not validated by validate
method.
class MyClass extends ActionForm
{
private testStr = "Value";
private int count;
public ActionErrors validate(ActionMapping map,
ServletRequest req) {
ActionErrors err ActionErroes();
if (testStr == null) {
err.add(ActionErrors.GLOBAL_MESSAGE,
new ActionMessage("testStr is null"));
}
return super(map, req);
}
}
Summary
Struts ActionForm
subclasses should implement the reset()
method.
Description
This audit rule finds ActionForm
subclasses that do not implement the reset()
method.
Security Implications
If some fields are not reset, they can have old values which can be used by an attacker.
Example
The following class declaration would be flagged as a violation because it does not declare a reset()
method:
public class SomeForm extends ActionForm { }
Summary
All validators used in validation logic should be declared in validators.xml
configuration file.
Description
This audit rule finds and violates the usages of validators whose type
is not declared in validators.xml
.
Security Implications
The absence of a declaration of a validator used is a sign of a faulty approach to secure validation all other the application. Validation logic should be kept up to date.
Example
The following customBarFieldValidation
validator usage whould be marked as violation if the corresponding validator is not declared in validators.xml
configuration file:
<validators>
<field name="bar">
<field-validator type="customBarFieldValidation">
<message>You must enter a value for bar.</message>
</field-validator>
</field>
</validators>
Summary
Abandoned validation file is a sign that validation of the actions is not properly handled.
Description
A validation file without a corresponding action could be a result of an action renaming, when developer forgot to rename a validation file.
Security Implications
It indicates problems in the validation of the actions, that should be treated.
Example
When file AddItem-validation.xml
is found with no corresponding action in struts.xml
, the violation is created. The proper action declaration in this case would look like this:
<struts>
...
<package name="sample" namespace="/sample" extends="struts-default">
<action name="AddItem" class="my.sample.AddItemAction">
<result>/pages/AddItem.jsp</result>
</action>
</package>
...
</struts>
Summary
Abandoned field validation is a sign that validation of the actions is not properly handled.
Description
A field validation declared without a corresponding field in the action class could be a result of a field being renamed, when the developer forgot to replace the field name in a validation file.
Security Implications
It indicates problems in the validation of the actions, that should be treated.
Example
Let there be a Struts form class, PostForm
, that declares two fields, title
and message
. The following entry in the file PostForm-validation.xml
will lead to a violation because it validates a non-existent field:
<field name="name">
<field-validator type="requiredstring">
<message>You must enter a name</message>
</field-validator>
</field>
Summary
Duplicating validator names cause errors in validation process.
Description
This audit rule violates declarations of a validators with the same name
attribute.
Security Implications
From two validators with the same name only one will be executed. Duplicating validator names is usually a sign that validation in the application is out of order and should be fixed. Failing in doing so will allow the attacker to inject some kind of invalid data into application.
Example
The following validators.xml
configuration contains two declared validators with the same name; these declarations would be violated:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE validators PUBLIC "-//OpenSymphony Group//XWork Validator Config 1.0//EN" "http://www.opensymphony.com/xwork/xwork-validator-config-1.0.dtd">
<validators>
<validator name="custom" class="org.some.validation.old.CustomValidator1"/>
<validator name="custom" class="org.some.validation.new.CustomValidator2"/>
</validators>
Summary
All fields of a Struts2 action should be validated even if some of them are unused.
Description
In situations when one Struts2 action class is used in several forms and each form uses a subset of the classes fields it is a common mistake to validate only those fields which are used in a given form.
Security Implications
This may allow an attacker to inject unvalidated input into your application. Thus, all fields of a form should be validated even if some of them are unused.
Example
Let there be a Struts2 action class, QuizAction
, that declares three fields, name
, age
and answer
. The following entry in the QuizAction-validation.xml
will lead to a violation because it validates only two of them:
<validators>
<field name="name">
<field-validator type="requiredstring">
<message>You must enter a name</message>
</field-validator>
</field>
<field name="age">
<field-validator type="int">
<param name="min">13</param>
<param name="max">19</param>
<message>Only people ages 13 to 19 may take this quiz</message>
</field-validator>
</field>
</validators>
Summary
All fields of a Struts action form should be validated even if some of them are unused.
Description
In situations when one Struts action form class is used in several forms and each form uses a subset of the classes fields it is a common mistake to validate only those fields which are used in a given form.
Security Implications
This may allow an attacker to inject unvalidated input into your application. Thus, all fields of a form should be validated even if some of them are unused.
Example
Let there be a Struts form class, QuizAction
, that declares three fields, name
, age
and answer
. The following entry in the validation.xml
will lead to a violation because it validates only two of them:
<form name="quizForm">
<field property="name" depends="required">
<arg key="quizForm.name"/>
</field>
<field property="age" depends="required">
<arg key="quizForm.age"/>
</field>
</form>
Summary
Validation plug-in is disabled by default and should be explicitly enabled in Struts configuration.
Description
This rule violates struts-config.xml
configuration file that does not explicitly specify Validation framework enabled.
Security Implications
Unvalidated input can be used by an attacker to perform all kinds of remote attacks.
Example
The following code declares the usage of Struts validation framework. If struts-config.xml
configuration file does not contain this code, it will be violated:
<plug-in className="org.apache.struts.validator.ValidatorPlugIn">
<set-property property="pathnames" value="/technology/WEB-INF/validator-rules.xml, /WEB-INF/validation.xml"/>
</plug-in>