Struts: Form Bean Does Not Extend Validation Class

If a form bean does not extend an ActionForm subclass of the Validator framework, it can expose the application to other weaknesses related to insufficient input validation.


Background

In order to use the Struts Validator, a form must extend one of the following: ValidatorForm, ValidatorActionForm, DynaValidatorActionForm, and DynaValidatorForm. You must extend one of these classes because the Struts Validator ties in to your application by implementing the validate() method in these classes. Forms derived from the ActionForm and DynaActionForm classes cannot use the Struts Validator.

Demonstrations

The following examples help to illustrate the nature of this weakness and describe methods or techniques which can be used to mitigate the risk.

Note that the examples here are by no means exhaustive and any given weakness may have many subtle varieties, each of which may require different detection methods or runtime controls.

Example One

In the following Java example the class RegistrationForm is a Struts framework ActionForm Bean that will maintain user information from a registration webpage for an online business site. The user will enter registration data and through the Struts framework the RegistrationForm bean will maintain the user data.

public class RegistrationForm extends org.apache.struts.action.ActionForm {


  // private variables for registration form
  private String name;
  private String email;
  ...

  public RegistrationForm() {
    super();
  }

  // getter and setter methods for private variables
  ...

}

However, the RegistrationForm class extends the Struts ActionForm class which does not allow the RegistrationForm class to use the Struts validator capabilities. When using the Struts framework to maintain user data in an ActionForm Bean, the class should always extend one of the validator classes, ValidatorForm, ValidatorActionForm, DynaValidatorForm or DynaValidatorActionForm. These validator classes provide default validation and the validate method for custom validation for the Bean object to use for validating input data. The following Java example shows the RegistrationForm class extending the ValidatorForm class and implementing the validate method for validating input data.

public class RegistrationForm extends org.apache.struts.validator.ValidatorForm {


  // private variables for registration form
  private String name;
  private String email;
  ...

  public RegistrationForm() {
    super();
  }

  public ActionErrors validate(ActionMapping mapping, HttpServletRequest request) {...}

  // getter and setter methods for private variables
  ...

}

Note that the ValidatorForm class itself extends the ActionForm class within the Struts framework API.

See Also

SFP Secondary Cluster: Tainted Input to Command

This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Command cluster (SFP24).

Comprehensive CWE Dictionary

This view (slice) covers all the elements in CWE.

Weaknesses Introduced During Implementation

This view (slice) lists weaknesses that can be introduced during implementation.

Weaknesses in Software Written in Java

This view (slice) covers issues that are found in Java programs that are not common to all languages.


Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.