SV.STRUTS.NOTVALID

This error occurs when a class extends org.apache.struts.action.ActionForm and has a validate method, but does not validate some fields.

Vulnerability and risk

Unvalidated fields is a number-one security issue for web applications. Unvalidated fields can lead to many security vulnerabilities, such as SQL Injections, Cross-Site scripting, and so on.

Klocwork security vulnerability (SV) checkers identify calls that create potentially dangerous data; these calls are considered unsafe sources. An unsafe source can be any data provided by the user, since the user could be an attacker or has the potential for introducing human error.

Mitigation and prevention

Define the validate method and validate ALL form fields. Integer fields can be checked by size, negativity and being non-zero, for example. String fields need more complicated checks based on the type of information.

Example 1

Copy
 public class SV_STRUTS_NOTVALID_Sample_1 extends ActionForm {
     private String name;
     private String birthdayString;
     protected Date birthday;
     public ActionErrors validate(ActionMapping map,
                                  HttpServletRequest req) {
         ActionErrors errors = new ActionErrors();
         SimpleDateFormat dateConvertor = new SimpleDateFormat(
                 req.getParameter("date.format"));
         try {
             birthday = dateConvertor.parse(birthdayString);
         } catch (ParseException e) {
             errors.add(ActionErrors.GLOBAL_MESSAGE,
                        new ActionMessage("Bad date"));
         }
         return super.validate(map, req);
     }
     public String getName() {
         return name;
     }
     public void setName(String name) {
         this.name = name;
     }
     public String getBirthday() {
         return birthdayString;
     }
     public void setBirthday(String birthday) {
         this.birthdayString = birthday;
     }
 }

SV.STRUTS.NOTVALID for field declaration on line 19: Struts: Form field 'SV_STRUTS_NOTVALID_Sample_1' 'name' is not validated by 'validate' method.