Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-4531

Using setters in Struts 2 ActionSupport is security-sensitive

    Details

    • Type: Security Hotspot Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Make sure that executing this ActionSupport is safe.
    • Highlighting:
      Hide

      First: the execute method
      Second: locations where the setters are defined.

      Show
      First: the execute method Second: locations where the setters are defined.
    • Default Severity:
      Major
    • Impact:
      Low
    • Likelihood:
      High
    • Covered Languages:
      Java
    • Irrelevant for Languages:
      ABAP, C#, C, C++, Cobol, CSS, Flex, Go, HTML, JavaScript, Objective-C, PHP, PL/I, PL/SQL, Python, RPG, Swift, T-SQL, TypeScript, VB.Net, VB6, XML
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      15min
    • Analysis Scope:
      Main Sources
    • OWASP:
      A1
    • FindSecBugs:
      STRUTS2_ENDPOINT

      Description

      Using setters in Struts 2 ActionSupport is security-sensitive. For example, their use has led in the past to the following vulnerabilities:

      All classes extending com.opensymphony.xwork2.ActionSupport are potentially remotely reachable. An action class extending ActionSupport will receive all HTTP parameters sent and these parameters will be automatically mapped to the setters of the Struts 2 action class. One should review the use of the fields set by the setters, to be sure they are used safely. By default, they should be considered as untrusted inputs.
      This rule is there to allow a security auditor to quickly find some potential hotspots to review.

      Ask Yourself Whether

      • the setter is needed. There is no need for it if the attribute's goal is not to map queries' parameter.
      • the value provided to the setter is properly sanitized before being used or stored.

      You are at risk if you answered yes to this question.

      Recommended Secure Coding Practices

      As said in Strut's documentation: "Do not define setters when not needed"
      Sanitize the user input. This can be for example done by implementing the validate() method of com.opensymphony.xwork2.ActionSupport.

      Noncompliant Code Example

      public class AccountBalanceAction extends ActionSupport {
        private static final long serialVersionUID = 1L;
        private Integer accountId;
      
        // this setter might be called with user input
        public void setAccountId(Integer accountId) {
          this.accountId = accountId;
        }
      
        @Override
        public String execute() throws Exception {
          // call a service to get the account's details and its balance
          [...]
          return SUCCESS;
        }
      }
      

      See

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                alexandre.gigleux Alexandre Gigleux
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: