Struts: Non-private Field in ActionForm Class

Draft Variant

Structure: Simple

Description

This vulnerability occurs when an Apache Struts ActionForm class exposes a field without declaring it as private. This allows other parts of the application to directly read or modify the field's data, bypassing the intended setter and getter methods.

Extended Description

In Struts, ActionForm classes are designed to encapsulate user-submitted form data. When a field is not declared private, it breaks this fundamental principle of encapsulation. Any component within the same package or other classes can directly access and alter the field's value, leading to unpredictable application behavior, corrupted data states, and a breakdown of the framework's data validation and population workflow. This direct access bypasses the critical logic within the setter and getter methods, such as input validation, data sanitization, or type conversion. As a result, attackers or even other application modules can inject malicious or malformed data directly into the object. To fix this, always declare all fields in ActionForm classes as private and ensure all external interactions occur through well-defined public getter and setter methods.

Common Consequences 1

Scope: IntegrityConfidentiality

Impact: Modify Application DataRead Application Data

Potential Mitigations 1

Phase: Implementation

Make all fields private. Use getter to get the value of the field. Setter should be used only by the framework; setting an action form field from other actions is bad practice and should be avoided.

Demonstrative Examples 1

In the following Java example the class RegistrationForm is a Struts framework ActionForm Bean that will maintain user input data from a registration webpage for a online business site. The user will enter registration data and through the Struts framework the RegistrationForm bean will maintain the user data.

Code Example:Bad
Java
java

However, within the RegistrationForm the member variables for the registration form input data are declared public not private. All member variables within a Struts framework ActionForm class must be declared private to prevent the member variables from being modified without using the getter and setter methods. The following example shows the member variables being declared private and getter and setter methods declared for accessing the member variables.

Code Example:Good
Java
java

Applicable Platforms

Languages:

Java : Undetermined

Modes of Introduction

Implementation

Related Weaknesses

ChildOf:

Exposure of Resource to Wrong Sphere (CWE-668)

Taxonomy Mapping

Software Fault Patterns