Using Struts 1 ActionForm is security-sensitive. For example, their use has led in the past to the following vulnerability:
All classes extending org.apache.struts.action.Action
are potentially remotely reachable. The ActionForm
object provided
as a parameter of the execute
method is automatically instantiated and populated with the HTTP parameters. One should review the use of
these parameters to be sure they are used safely.
You are at risk if you answered to any of these questions.
All ActionForm's properties should be validated, including their size. Whenever possible, filter the parameters with a whitelist of valid values. Otherwise, escape any sensitive character and constrain the values as much as possible.
Allow only non security-sensitive property names. All the ActionForm's property names should be whitelisted.
Unused fields should be constrained so that they are either empty or undefined.
// Struts 1.1+ public final class CashTransferAction extends Action { public String fromAccount = ""; public String toAccount = ""; public ActionForward execute(ActionMapping mapping, ActionForm form, HttpServletRequest req, HttpServletResponse res) throws Exception { // usage of the "form" object to call some services doing JDBC actions [...] return mapping.findForward(resultat); } }