SV.STRUTS.NOTRESET
This error appears when a class extends org.apache.struts.action.ActionForm and has a reset method, but it does not reset some fields.
Vulnerability and risk
IReset method is called before filling out a form with request parameters. If some fields are not reset, they can have old values which can be used by an attacker. Since a client request can be easily manipulated by an attacker, do not depend on the presence of certain fields in a request.
Klocwork security vulnerability (SV) checkers identify calls that create potentially dangerous data; these calls are considered unsafe sources. An unsafe source can be any data provided by the user, since the user could be an attacker or has the potential for introducing human error.
Mitigation and prevention
Reset all fields that a client can populate. If a field cannot be populated by the client that usually means the Form tries to implement some business logic or is used as an output form, which normally should not be part of the ActionForm and should be implemented by a different class.
Example 1
public class SV_STRUTS_NOTRESET_Sample_1 extends ActionForm {
private String name;
private String[] cars = new String[10];
public String getName() {
return name;
}
public void setName(String name) {
this.name = name;
}
public String getCar(int i) {
return cars[i];
}
public void setCar(int i, String car) {
this.cars[i] = car;
}
public void reset(ActionMapping map,
HttpServletRequest req) {
cars = new String[10];
}
}
SV.STRUTS.NOTRESET is reported for field declaration on line 14: Struts: Form field 'SV_STRUTS_NOTRESET_Sample_1' 'name' is not reset by 'reset' method
External guidance
Security training
Application security training materials provided by Secure Code Warrior.