SV.STRUTS.VALIDMET

This error is reported when a class extends org.apache.struts.action.ActionForm and does not implement the method 'validate'. Note that this error is not reported if the class extends ValidatorForm because in this case, the method validate is generated automatically based on the XML specification.

Vulnerability and risk

The validate method is the standard mechanism for a struts framework to validate fields. Unvalidated fields is a top security problem for web applications.

Klocwork security vulnerability (SV) checkers identify calls that create potentially dangerous data; these calls are considered unsafe sources. An unsafe source can be any data provided by the user, since the user could be an attacker or has the potential for introducing human error.

Mitigation and prevention

Define the validate method and validate ALL form fields. Integer fields can be checked by size, negativity and non-zero value, for example. String fields need more complicated checks based on the type of information. Unvalidated fields can lead to many security vulnerabilities such as SQL injections, Cross-site scripting, and so on.

Example 1

10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
 public class SV_STRUTS_VALIDMET_Sample_1 extends ActionForm {
     private String name;
     private String birthdayString;
 
     public String getName() {
         return name;
     }
     public void setName(String name) {
         this.name = name;
     }
     public String getBirthday() {
         return birthdayString;
     }
     public void setBirthday(String birthday) {
         this.birthdayString = birthday;
     }
 }

SV.STRUTS.VALIDMET is reported for class declaration on line 10: Struts: Form 'SV_STRUTS_VALIDMET_Sample_1' does not have method 'validate' defined

External guidance

• CWE-103: Struts: Incomplete validate() Method Definition
• STIG-ID:APP3530 Input Validation
• STIG-ID:APP3540.1 SQL Injection Vulnerabilities
• STIG-ID:APP3580 Cross Site Scripting (XSS) Vulnerabilities