1. Home
  2. CWE Database
  3. CWE-104
Variant · Low-Medium

CWE-104: Struts: Form Bean Does Not Extend Validation Class

If a form bean does not extend an ActionForm subclass of the Validator framework, it can expose the application to other weaknesses related to insufficient input validation.

CWE-104 · Variant Level ·1 Mitigations

Description

If a form bean does not extend an ActionForm subclass of the Validator framework, it can expose the application to other weaknesses related to insufficient input validation.

Potential Impact

Other

Other

Confidentiality, Integrity, Availability, Other

Other

Demonstrative Examples

In the following Java example the class RegistrationForm is a Struts framework ActionForm Bean that will maintain user information from a registration webpage for an online business site. The user will enter registration data and through the Struts framework the RegistrationForm bean will maintain the user data.
Bad
public class RegistrationForm extends org.apache.struts.action.ActionForm {
                     
                        // private variables for registration formprivate String name;private String email;...
                           public RegistrationForm() {super();}
                           // getter and setter methods for private variables...
                     }
However, the RegistrationForm class extends the Struts ActionForm class which does not allow the RegistrationForm class to use the Struts validator capabilities. When using the Struts framework to maintain user data in an ActionForm Bean, the class should always extend one of the validator classes, ValidatorForm, ValidatorActionForm, DynaValidatorForm or DynaValidatorActionForm. These validator classes provide default validation and the validate method for custom validation for the Bean object to use for validating input data. The following Java example shows the RegistrationForm class extending the ValidatorForm class and implementing the validate method for validating input data.
Good
public class RegistrationForm extends org.apache.struts.validator.ValidatorForm {
                     
                        // private variables for registration formprivate String name;private String email;...
                           public RegistrationForm() {super();}
                           public ActionErrors validate(ActionMapping mapping, HttpServletRequest request) {...}
                           // getter and setter methods for private variables...
                     }
Note that the ValidatorForm class itself extends the ActionForm class within the Struts framework API.

Mitigations & Prevention

Implementation

Ensure that all forms extend one of the Validation Classes.

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

CWE-573: Improper Following of Specification by Caller

The product does not follow or incorrectly follows the specifications as required by the implementation language, enviro...

CWE-20: Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the ...

Taxonomy Mappings

  • 7 Pernicious Kingdoms: — Struts: Form Bean Does Not Extend Validation Class
  • Software Fault Patterns: SFP24 — Tainted input to command

Frequently Asked Questions

What is CWE-104?

CWE-104 (Struts: Form Bean Does Not Extend Validation Class) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. If a form bean does not extend an ActionForm subclass of the Validator framework, it can expose the application to other weaknesses related to insufficient input validation.

How can CWE-104 be exploited?

Attackers can exploit CWE-104 (Struts: Form Bean Does Not Extend Validation Class) to other. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-104?

Key mitigations include: Ensure that all forms extend one of the Validation Classes.

What is the severity of CWE-104?

CWE-104 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.