SV.STRUTS.RESETMET

This error is detected when a class extends org.apache.struts.action.ActionForm and does not implement the method 'reset'.

Vulnerability and risk

The reset method is called before filling out a form with request parameters. If some fields are not reset, they can retain old values which can be user by an attacker. Since a client request can be early manipulated by an attacker, do not depend on the presence of certain fields in a request.

Klocwork security vulnerability (SV) checkers identify calls that create potentially dangerous data; these calls are considered unsafe sources. An unsafe source can be any data provided by the user, since the user could be an attacker or has the potential for introducing human error.

Mitigation and prevention

Reset all fields that a client can populate. If a field cannot be populated by the client, that usually mean the form tries to implement some business logic or is used as an output form, which normally should not be part of the ActionForm and should be implemented by a different class.

Example 1

Copy

10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
 public class SV_STRUTS_RESETMET_Sample_1 extends ActionForm {
     private String name;
     private String[] cars = new String[10];
     public String getName() {
         return name;
     }
     public void setName(String name) {
         this.name = name;
     }
     public String getCar(int i) {
         return cars[i];
     }
     public void setCar(int i, String car) {
         this.cars[i] = car;
     }
 }

SV.STRUTS.RESETMET is reported for form declaration on line 10: Struts: Form 'SV_STRUTS_RESETMET_Sample_1' does not have method 'reset' defined

External guidance

CWE-226: Sensitive Information Uncleared Before Release

Security training

Application security training materials provided by Secure Code Warrior.

Sensitive Data Exposure Training Video - Test your skills with a training example