CWE-103: Struts: Incomplete validate() Method Definition

CWE-103: Struts: Incomplete validate() Method Definition | RadicalNotion.AI

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

In the following Java example the class RegistrationForm is a Struts framework ActionForm Bean that will maintain user input data from a registration webpage for an online business site. The user will enter registration data and the RegistrationForm bean in the Struts framework will maintain the user data. Tthe RegistrationForm class implements the validate method to validate the user input entered into the form.

Vulnerable example

java

public class RegistrationForm extends org.apache.struts.validator.ValidatorForm {

Safe example

java

public class RegistrationForm extends org.apache.struts.validator.ValidatorForm {

Although the validate method is implemented in this example the method does not call the validate method of the ValidatorForm parent class with a call super.validate(). Without the call to the parent validator class only the custom validation will be performed and the default validation will not be performed. The following example shows that the validate method of the ValidatorForm class is called within the implementation of the validate method.

CWE-103: Struts: Incomplete validate() Method Definition

Overview

Background

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-103?

How do you prevent CWE-103?

How is CWE-103 detected?

What are the consequences of CWE-103?

References

Stay ahead of CWE-103

Overview

Background

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Related weaknesses

Parent

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-103?

How do you prevent CWE-103?

How is CWE-103 detected?

What are the consequences of CWE-103?

References

Stay ahead of CWE-103