CWE-104 Structs:表单Bean未扩展验证类

Struts: Form Bean Does Not Extend Validation Class

结构: Simple

Abstraction: Variant

状态: Draft

被利用可能性: unkown

基本描述

If a form bean does not extend an ActionForm subclass of the Validator framework, it can expose the application to other weaknesses related to insufficient input validation.

相关缺陷

适用平台

Language: {'cwe_Name': 'Java', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围 影响 注释
Other Other Bypassing the validation framework for a form exposes the application to numerous types of attacks. Unchecked input is an important component of vulnerabilities like cross-site scripting, process control, and SQL injection.
['Confidentiality', 'Integrity', 'Availability', 'Other'] Other Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack.

可能的缓解方案

Implementation

策略:

Ensure that all forms extend one of the Validation Classes.

示例代码

In the following Java example the class RegistrationForm is a Struts framework ActionForm Bean that will maintain user information from a registration webpage for an online business site. The user will enter registration data and through the Struts framework the RegistrationForm bean will maintain the user data.

bad Java

public class RegistrationForm extends org.apache.struts.action.ActionForm {
// private variables for registration form
private String name;
private String email;
...

public RegistrationForm() {
super();
}

// getter and setter methods for private variables
...
}

However, the RegistrationForm class extends the Struts ActionForm class which does not allow the RegistrationForm class to use the Struts validator capabilities. When using the Struts framework to maintain user data in an ActionForm Bean, the class should always extend one of the validator classes, ValidatorForm, ValidatorActionForm, DynaValidatorForm or DynaValidatorActionForm. These validator classes provide default validation and the validate method for custom validation for the Bean object to use for validating input data. The following Java example shows the RegistrationForm class extending the ValidatorForm class and implementing the validate method for validating input data.

good Java

public class RegistrationForm extends org.apache.struts.validator.ValidatorForm {
// private variables for registration form
private String name;
private String email;
...

public RegistrationForm() {
super();
}

public ActionErrors validate(ActionMapping mapping, HttpServletRequest request) {...}

// getter and setter methods for private variables
...
}

Note that the ValidatorForm class itself extends the ActionForm class within the Struts framework API.

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
7 Pernicious Kingdoms Struts: Form Bean Does Not Extend Validation Class
Software Fault Patterns SFP24 Tainted input to command

相关攻击模式