Using setters in Struts 2 ActionSupport is security-sensitive. For example, their use has led in the past to the following vulnerabilities:

All classes extending com.opensymphony.xwork2.ActionSupport are potentially remotely reachable. An action class extending ActionSupport will receive all HTTP parameters sent and these parameters will be automatically mapped to the setters of the Struts 2 action class. One should review the use of the fields set by the setters, to be sure they are used safely. By default, they should be considered as untrusted inputs.

Ask Yourself Whether

(*) You are at risk if you answered yes to this question.

Recommended Secure Coding Practices

As said in Struts documentation: "Do not define setters when not needed"

Sanitize the user input. This can be for example done by implementing the validate() method of com.opensymphony.xwork2.ActionSupport.

Noncompliant Code Example

public class AccountBalanceAction extends ActionSupport {
  private static final long serialVersionUID = 1L;
  private Integer accountId;

  // this setter might be called with user input
  public void setAccountId(Integer accountId) {
    this.accountId = accountId;
  }

  @Override
  public String execute() throws Exception {
    // call a service to get the account's details and its balance
    [...]
    return SUCCESS;
  }
}

See

Deprecated

This rule is deprecated, and will eventually be removed.