1. Home
  2. CWE Database
  3. CWE-103
Variant · Low-Medium

CWE-103: Struts: Incomplete validate() Method Definition

The product has a validator form that either does not define a validate() method, or defines a validate() method but does not call super.validate().

CWE-103 · Variant Level ·1 Mitigations

Description

The product has a validator form that either does not define a validate() method, or defines a validate() method but does not call super.validate().

Potential Impact

Other

Unexpected State, Varies by Context

Confidentiality, Integrity, Availability, Other

Other

Demonstrative Examples

In the following Java example the class RegistrationForm is a Struts framework ActionForm Bean that will maintain user input data from a registration webpage for an online business site. The user will enter registration data and the RegistrationForm bean in the Struts framework will maintain the user data. Tthe RegistrationForm class implements the validate method to validate the user input entered into the form.
Bad
public class RegistrationForm extends org.apache.struts.validator.ValidatorForm {
                     // private variables for registration formprivate String name;private String email;...
                        public RegistrationForm() {super();}
                        public ActionErrors validate(ActionMapping mapping, HttpServletRequest request) {ActionErrors errors = new ActionErrors();if (getName() == null || getName().length() < 1) {errors.add("name", new ActionMessage("error.name.required"));}return errors;}
                     
                     // getter and setter methods for private variables...
                     }
Although the validate method is implemented in this example the method does not call the validate method of the ValidatorForm parent class with a call super.validate(). Without the call to the parent validator class only the custom validation will be performed and the default validation will not be performed. The following example shows that the validate method of the ValidatorForm class is called within the implementation of the validate method.
Good
public class RegistrationForm extends org.apache.struts.validator.ValidatorForm {
                     
                        // private variables for registration formprivate String name;private String email;...
                           public RegistrationForm() {super();}
                           public ActionErrors validate(ActionMapping mapping, HttpServletRequest request) {ActionErrors errors = super.validate(mapping, request);if (errors == null) {errors = new ActionErrors();}
                           
                           if (getName() == null || getName().length() < 1) {errors.add("name", new ActionMessage("error.name.required"));}return errors;
                     }
                     // getter and setter methods for private variables...}

Mitigations & Prevention

Implementation

Implement the validate() method and call super.validate() within that method.

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

CWE-573: Improper Following of Specification by Caller

The product does not follow or incorrectly follows the specifications as required by the implementation language, enviro...

CWE-20: Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the ...

Taxonomy Mappings

  • 7 Pernicious Kingdoms: — Struts: Erroneous validate() Method
  • Software Fault Patterns: SFP24 — Tainted input to command

Frequently Asked Questions

What is CWE-103?

CWE-103 (Struts: Incomplete validate() Method Definition) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product has a validator form that either does not define a validate() method, or defines a validate() method but does not call super.validate().

How can CWE-103 be exploited?

Attackers can exploit CWE-103 (Struts: Incomplete validate() Method Definition) to unexpected state, varies by context. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-103?

Key mitigations include: Implement the validate() method and call super.validate() within that method.

What is the severity of CWE-103?

CWE-103 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.