CWE-102 Structs:重复验证表单
Struts: Duplicate Validation Forms
结构: Simple
Abstraction: Variant
状态: Incomplete
被利用可能性: unkown
基本描述
The application uses multiple validation forms with the same name, which might cause the Struts Validator to validate a form that the programmer does not expect.
扩展描述
If two validation forms have the same name, the Struts Validator arbitrarily chooses one of the forms to use for input validation and discards the other. This decision might not correspond to the programmer's expectations, possibly leading to resultant weaknesses. Moreover, it indicates that the validation logic is not up-to-date, and can indicate that other, more subtle validation errors are present.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 694 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 1173 cwe_View_ID: 1000
-
cwe_Nature: ChildOf cwe_CWE_ID: 1173 cwe_View_ID: 699 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 20 cwe_View_ID: 700 cwe_Ordinal: Primary
适用平台
Language: {'cwe_Name': 'Java', 'cwe_Prevalence': 'Undetermined'}
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| Integrity | Unexpected State |
可能的缓解方案
Implementation
策略:
The DTD or schema validation will not catch the duplicate occurrence of the same form name. To find the issue in the implementation, manual checks or automated static analysis could be applied to the xml configuration files.
示例代码
例
Two validation forms with the same name.
bad XML
<form name="ProjectForm"> ... </form>
It is critically important that validation logic be maintained and kept in sync with the rest of the application.
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| 7 Pernicious Kingdoms | Struts: Duplicate Validation Forms | ||
| Software Fault Patterns | SFP24 | Tainted input to command |