SV.STRUTS.PRIVATE
This error appears when a Class extends an org.apache.struts.action.ActionForm and has a class field that is not private.
Vulnerability and risk
ActionForm class should contain only private fields which are accessed by setter and getter. Creating non-private fields violated this contract and has introduced the possibility of avoiding validation and creating an invalid state for the Form object.
Klocwork security vulnerability (SV) checkers identify calls that create potentially dangerous data; these calls are considered unsafe sources. An unsafe source can be any data provided by the user, since the user could be an attacker or has the potential for introducing human error.
Mitigation and prevention
Make all fields private. Use getter to get the value of the field. Setter should be used only by the framework; setting an action form field from other actions is bad practice and should be avoided.
Example 1
public class SV_STRUTS_PRIVATE_Sample_1 extends ActionForm {
private String name;
protected String birthdayString;
public String getName() {
return name;
}
public void setName(String name) {
this.name = name;
}
public String getBirthday() {
return birthdayString;
}
public void setBirthday(String birthday) {
this.birthdayString = birthday;
}
}
SV.STRUTS.PRIVATE is reported for field declaration on line 12: Struts: Form field 'birthdayString' should be private