Executar análise estática (SAST) na base de código à procura do padrão inseguro no fluxo de dados.
CWE-107 Variante Rascunho
Struts: Unused Validation Form
This vulnerability occurs when a Struts application contains validation form definitions that are no longer linked to any active form or action, leaving outdated security rules in the codebase.
Definição
What is CWE-107?
This vulnerability occurs when a Struts application contains validation form definitions that are no longer linked to any active form or action, leaving outdated security rules in the codebase.
In Struts frameworks, validation logic is often tied to specific form or action mappings. When developers rename or remove these mappings during refactoring, they can easily overlook the corresponding validation forms. These orphaned validation rules remain in the configuration files, creating a false sense of security and cluttering the code with dead logic.
This situation is problematic because it indicates that the application's validation layer is not being properly maintained. Attackers may exploit the gap between the actual form processing and the intended validation rules, potentially bypassing client-side or server-side checks. Regularly auditing and removing unused validation forms is essential to keep security configurations accurate and effective.
Impacto no mundo real
Real-world CVEs caused by CWE-107
Ainda não há referências CVE públicas associadas a este CWE no catálogo da MITRE.
Como os atacantes a exploram
Trajeto do atacante passo a passo
- 1
In the following example the class RegistrationForm is a Struts framework ActionForm Bean that will maintain user input data from a registration webpage for an online business site. The user will enter registration data and, through the Struts framework, the RegistrationForm bean will maintain the user data in the form fields using the private member variables. The RegistrationForm class uses the Struts validation capability by extending the ValidatorForm class and including the validation for the form fields within the validator XML file, validator.xml.
- 2
However, the validator XML file, validator.xml, for the RegistrationForm class includes the validation form for the user input form field "phone" that is no longer used by the input form and the RegistrationForm class. Any validation forms that are no longer required should be removed from the validator XML file, validator.xml.
- 3
The existence of unused forms may be an indication to attackers that this code is out of date or poorly maintained.
Exemplo de código vulnerável
Vulnerable Java
In the following example the class RegistrationForm is a Struts framework ActionForm Bean that will maintain user input data from a registration webpage for an online business site. The user will enter registration data and, through the Struts framework, the RegistrationForm bean will maintain the user data in the form fields using the private member variables. The RegistrationForm class uses the Struts validation capability by extending the ValidatorForm class and including the validation for the form fields within the validator XML file, validator.xml.
public class RegistrationForm extends org.apache.struts.validator.ValidatorForm {
```
// private variables for registration form*
private String name;
private String address;
private String city;
private String state;
private String zipcode;
*// no longer using the phone form field*
*// private String phone;*
private String email;
public RegistrationForm() {
```
super();
}
```
// getter and setter methods for private variables*
...} Exemplo de código seguro
Secure pseudo
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
const safe = validateAndEscape(input);
return executeWithGuards(safe);
} What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de verificação de prevenção
How to prevent CWE-107
- Implementation Remove the unused Validation Form from the validation.xml file.
Sinais de deteção
How to detect CWE-107
Executar testes dinâmicos de segurança de aplicações (DAST) contra o endpoint em execução.
Monitorizar os registos em tempo de execução para traços de exceção invulgares, input malformado ou tentativas de contornar a autorização.
Revisão de código: sinalizar qualquer novo código que trate input desta superfície sem usar os ajudantes validados do framework.
O Plexicus deteta automaticamente o CWE-107 e abre um PR de correção em menos de 60 segundos.
O Codex Remedium analisa cada commit, identifica esta fraqueza exata e entrega um pull request pronto para revisão com o patch. Sem tickets. Sem transferências.
Perguntas frequentes O que é o CWE-107?
Qual a gravidade do CWE-107?
Que linguagens ou plataformas são afetadas pelo CWE-107?
Como posso prevenir o CWE-107?
Como é que o Plexicus deteta e corrige o CWE-107?
Onde posso saber mais sobre o CWE-107?
Frequently asked questions
O que é o CWE-107?
This vulnerability occurs when a Struts application contains validation form definitions that are no longer linked to any active form or action, leaving outdated security rules in the codebase.
Qual a gravidade do CWE-107?
A MITRE não publicou uma classificação de probabilidade de exploração para esta fraqueza. Trate-a como impacto médio até o seu modelo de ameaças provar o contrário.
Que linguagens ou plataformas são afetadas pelo CWE-107?
MITRE lists the following affected platforms: Java.
Como posso prevenir o CWE-107?
Remove the unused Validation Form from the validation.xml file.
Como é que o Plexicus deteta e corrige o CWE-107?
O motor SAST do Plexicus correlaciona a assinatura de fluxo de dados do CWE-107 em cada commit. Quando é encontrada uma correspondência, o nosso agente Codex Remedium abre um PR de correção com o código corrigido, testes e um resumo de uma linha para o revisor.
Onde posso saber mais sobre o CWE-107?
A MITRE publica a definição canónica em https://cwe.mitre.org/data/definitions/107.html. Pode também consultar a documentação da OWASP e do NIST para orientações adjacentes.
Fraquezas relacionadas
Weaknesses related to CWE-107
CWE-1164 Pai
Irrelevant Code
Irrelevant code refers to sections of a program that have no impact on its execution, data, or logic. Removing this code would not change…
CWE-1071 Irmão
Empty Code Block
An empty code block occurs when a section of source code, such as a conditional statement or function body, contains no executable…
CWE-110 Irmão
Struts: Validator Without Form Field
This vulnerability occurs when a Struts application's validation configuration file references form fields that no longer exist in the…
CWE-561 Irmão
Dead Code
Dead code refers to sections of a program that can never run during normal execution, effectively making them inactive and unreachable.
CWE-563 Irmão
Assignment to Variable without Use
This vulnerability occurs when a value is stored in a variable, but that variable is never read or used in subsequent code, creating a…
Recursos
Further reading
- MITRE — CWE-107 oficial https://cwe.mitre.org/data/definitions/107.html
- Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf
Pronto quando você estiver
Pare de pagar por desenvolvedor.
Comece a fechar o ciclo.
O Plexicus é o ASPM nativo de IA que verifica, filtra, corrige, pentesta e explica — de forma autónoma. Programadores ilimitados, repos ilimitados, ações de IA de utilização justa. Nível gratuito real, €269/mo anual quando estiver pronto.