1. Home
  2. CWE Database
  3. CWE-105
Variant · Low-Medium

CWE-105: Struts: Form Field Without Validator

The product has a form field that is not validated by a corresponding validation form, which can introduce other weaknesses related to insufficient input validation.

CWE-105 · Variant Level ·1 Mitigations

Description

The product has a form field that is not validated by a corresponding validation form, which can introduce other weaknesses related to insufficient input validation.

Omitting validation for even a single input field may give attackers the leeway they need to compromise the product. Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack.

Potential Impact

Integrity

Unexpected State

Integrity

Bypass Protection Mechanism

Demonstrative Examples

In the following example the Java class RegistrationForm is a Struts framework ActionForm Bean that will maintain user input data from a registration webpage for an online business site. The user will enter registration data and, through the Struts framework, the RegistrationForm bean will maintain the user data in the form fields using the private member variables. The RegistrationForm class uses the Struts validation capability by extending the ValidatorForm class and including the validation for the form fields within the validator XML file, validator.xml.
Result
public class RegistrationForm extends org.apache.struts.validator.ValidatorForm {
                        
                        // private variables for registration form
                        private String name;private String address;private String city;private String state;private String zipcode;private String phone;private String email;
                        public RegistrationForm() {super();}
                        
                        // getter and setter methods for private variables
                        ...
                     }
The validator XML file, validator.xml, provides the validation for the form fields of the RegistrationForm.
Bad
<form-validation><formset><form name="RegistrationForm"><field property="name" depends="required"><arg position="0" key="prompt.name"/></field><field property="address" depends="required"><arg position="0" key="prompt.address"/></field><field property="city" depends="required"><arg position="0" key="prompt.city"/></field><field property="state" depends="required,mask"><arg position="0" key="prompt.state"/><var><var-name>mask</var-name><var-value>[a-zA-Z]{2}</var-value></var></field><field property="zipcode" depends="required,mask"><arg position="0" key="prompt.zipcode"/><var><var-name>mask</var-name><var-value>\d{5}</var-value></var></field></form></formset></form-validation>
However, in the previous example the validator XML file, validator.xml, does not provide validators for all of the form fields in the RegistrationForm. Validator forms are only provided for the first five of the seven form fields. The validator XML file should contain validator forms for all of the form fields for a Struts ActionForm bean. The following validator.xml file for the RegistrationForm class contains validator forms for all of the form fields.
Good
<form-validation><formset><form name="RegistrationForm"><field property="name" depends="required"><arg position="0" key="prompt.name"/></field><field property="address" depends="required"><arg position="0" key="prompt.address"/></field><field property="city" depends="required"><arg position="0" key="prompt.city"/></field><field property="state" depends="required,mask"><arg position="0" key="prompt.state"/><var><var-name>mask</var-name><var-value>[a-zA-Z]{2}</var-value></var></field><field property="zipcode" depends="required,mask"><arg position="0" key="prompt.zipcode"/><var><var-name>mask</var-name><var-value>\d{5}</var-value></var></field><field property="phone" depends="required,mask"><arg position="0" key="prompt.phone"/><var><var-name>mask</var-name><var-value>^([0-9]{3})(-)([0-9]{4}|[0-9]{4})$</var-value></var></field><field property="email" depends="required,email"><arg position="0" key="prompt.email"/></field></form></formset></form-validation>

Mitigations & Prevention

Implementation

Validate all form fields. If a field is unused, it is still important to constrain it so that it is empty or undefined.

CWE-1173: Improper Use of Validation Framework

The product does not use, or incorrectly uses, an input validation framework that is provided by the source language or ...

CWE-20: Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the ...

Taxonomy Mappings

  • 7 Pernicious Kingdoms: — Struts: Form Field Without Validator
  • Software Fault Patterns: SFP24 — Tainted input to command

Frequently Asked Questions

What is CWE-105?

CWE-105 (Struts: Form Field Without Validator) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product has a form field that is not validated by a corresponding validation form, which can introduce other weaknesses related to insufficient input validation.

How can CWE-105 be exploited?

Attackers can exploit CWE-105 (Struts: Form Field Without Validator) to unexpected state. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-105?

Key mitigations include: Validate all form fields. If a field is unused, it is still important to constrain it so that it is empty or undefined.

What is the severity of CWE-105?

CWE-105 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.