Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-4530

Using Struts 1 ActionForm is security-sensitive

    Details

    • Type: Security Hotspot Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Make sure that the ActionForm is used safely here.
    • Highlighting:
      Hide

      First: the perform method for Struts 1.0 or the execute method for Struts 1.1+
      Second: locations where the ActionForm object is used

      Show
      First: the perform method for Struts 1.0 or the execute method for Struts 1.1+ Second: locations where the ActionForm object is used
    • Default Severity:
      Major
    • Impact:
      Low
    • Likelihood:
      High
    • Covered Languages:
      Java
    • Irrelevant for Languages:
      ABAP, C#, C, C++, Cobol, CSS, Flex, Go, HTML, JavaScript, Objective-C, PHP, PL/I, PL/SQL, Python, RPG, Swift, T-SQL, TypeScript, VB.Net, VB6, XML
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      15min
    • Analysis Scope:
      Main Sources
    • OWASP:
      A1
    • FindSecBugs:
      STRUTS1_ENDPOINT

      Description

      Using Struts 1 ActionForm is security-sensitive. For example, their use has led in the past to the following vulnerability:

      All classes extending org.apache.struts.action.Action are potentially remotely reachable. The ActionForm object provided as a parameter of the execute method is automatically instantiated and populated with the HTTP parameters. One should review the use of these parameters to be sure they are used safely.
      This rule is there to allow a security auditor to quickly find some potential hotspots to review.

      Ask Yourself Whether

      • some parameters of the ActionForm might not have been validated properly.
      • dangerous parameter names are accepted. Example: accept a "class" parameter and use the form to populate JavaBean properties (see the CVE-2014-0114 above).
      • there are unused fields which are not empty or undefined.

      You are at risk if you answered to any of these questions.

      Recommended Secure Coding Practices

      All ActionForm's properties should be validated, including their size. Whenever possible, filter the parameters with a whitelist of valid values. Otherwise, escape any sensitive character and constrain the values as much as possible.

      Allow only non security-sensitive property names. All the ActionForm's property names should be whitelisted.

      Unused fields should be constrained so that they are either empty or undefined.

      Noncompliant Code Example

      // Struts 1.1+
      public final class CashTransferAction extends Action {
      
        public String fromAccount = ""; 
        public String toAccount = "";
      
        public ActionForward execute(ActionMapping mapping, ActionForm form, HttpServletRequest req, HttpServletResponse res) throws Exception {
          // usage of the "form" object to call some services doing JDBC actions
          [...]
          return mapping.findForward(resultat);
        }
      }
      

      See

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                alexandre.gigleux Alexandre Gigleux
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: