1. Home
  2. CWE Database
  3. CWE-107
Variant · Low-Medium

CWE-107: Struts: Unused Validation Form

An unused validation form indicates that validation logic is not up-to-date.

CWE-107 · Variant Level ·1 Mitigations

Description

An unused validation form indicates that validation logic is not up-to-date.

Potential Impact

Other

Quality Degradation

Demonstrative Examples

In the following example the class RegistrationForm is a Struts framework ActionForm Bean that will maintain user input data from a registration webpage for an online business site. The user will enter registration data and, through the Struts framework, the RegistrationForm bean will maintain the user data in the form fields using the private member variables. The RegistrationForm class uses the Struts validation capability by extending the ValidatorForm class and including the validation for the form fields within the validator XML file, validator.xml.
Bad
public class RegistrationForm extends org.apache.struts.validator.ValidatorForm {
                     
                        
                           
                           // private variables for registration form
                           private String name;private String address;private String city;private String state;private String zipcode;
                           // no longer using the phone form field
                           
                           
                           // private String phone;
                           private String email;
                           public RegistrationForm() {super();}
                           
                           // getter and setter methods for private variables
                           ...
                     }
Bad
<form-validation>
                        <formset>
                              <form name="RegistrationForm">
                                    <field property="name" depends="required"><arg position="0" key="prompt.name"/></field><field property="address" depends="required"><arg position="0" key="prompt.address"/></field><field property="city" depends="required"><arg position="0" key="prompt.city"/></field><field property="state" depends="required,mask"><arg position="0" key="prompt.state"/><var><var-name>mask</var-name><var-value>[a-zA-Z]{2}</var-value></var></field><field property="zipcode" depends="required,mask"><arg position="0" key="prompt.zipcode"/><var><var-name>mask</var-name><var-value>\d{5}</var-value></var></field><field property="phone" depends="required,mask"><arg position="0" key="prompt.phone"/><var><var-name>mask</var-name><var-value>^([0-9]{3})(-)([0-9]{4}|[0-9]{4})$</var-value></var></field><field property="email" depends="required,email"><arg position="0" key="prompt.email"/></field>
                                 </form>
                           </formset>
                     </form-validation>
However, the validator XML file, validator.xml, for the RegistrationForm class includes the validation form for the user input form field "phone" that is no longer used by the input form and the RegistrationForm class. Any validation forms that are no longer required should be removed from the validator XML file, validator.xml.
The existence of unused forms may be an indication to attackers that this code is out of date or poorly maintained.

Mitigations & Prevention

Implementation

Remove the unused Validation Form from the validation.xml file.

CWE-1164: Irrelevant Code

The product contains code that is not essential for execution, i.e. makes no state changes and has no side effects...

CWE-20: Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the ...

Taxonomy Mappings

  • 7 Pernicious Kingdoms: — Struts: Unused Validation Form

Frequently Asked Questions

What is CWE-107?

CWE-107 (Struts: Unused Validation Form) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. An unused validation form indicates that validation logic is not up-to-date.

How can CWE-107 be exploited?

Attackers can exploit CWE-107 (Struts: Unused Validation Form) to quality degradation. This weakness is typically introduced during the Implementation, Operation phase of software development.

How do I prevent CWE-107?

Key mitigations include: Remove the unused Validation Form from the validation.xml file.

What is the severity of CWE-107?

CWE-107 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.