Using setters in Struts 2 ActionSupport is security-sensitive. For example, their use has led in the past to the following vulnerabilities:
All classes extending com.opensymphony.xwork2.ActionSupport
are potentially remotely reachable. An action class extending
ActionSupport will receive all HTTP parameters sent and these parameters will be automatically mapped to the setters of the Struts 2 action class. One
should review the use of the fields set by the setters, to be sure they are used safely. By default, they should be considered as untrusted
inputs.
(*) You are at risk if you answered yes to this question.
As said in Strut's documentation: "Do not define setters when not needed"
Sanitize the user input. This can be for example done by implementing the validate()
method of
com.opensymphony.xwork2.ActionSupport
.
public class AccountBalanceAction extends ActionSupport { private static final long serialVersionUID = 1L; private Integer accountId; // this setter might be called with user input public void setAccountId(Integer accountId) { this.accountId = accountId; } @Override public String execute() throws Exception { // call a service to get the account's details and its balance [...] return SUCCESS; } }
This rule is deprecated, and will eventually be removed.