CWE

Struts: Duplicate Validation Forms

ID: 102		Date: (C)2012-05-14   (M)2022-10-10
Type: weakness		Status: INCOMPLETE
Abstraction Type: Variant

Description

The application uses multiple validation forms with the same name, which might cause the Struts Validator to validate a form that the programmer does not expect.

Extended Description

If two validation forms have the same name, the Struts Validator arbitrarily chooses one of the forms to use for input validation and discards the other. This decision might not correspond to the programmer's expectations, possibly leading to resultant weaknesses. Moreover, it indicates that the validation logic is not up-to-date, and can indicate that other, more subtle validation errors are present.

Applicable Platforms
Language: Java

Time Of Introduction

• Implementation

Common Consequences

Scope	Technical Impact	Notes
Integrity	Unexpected state

Detection Methods
None

Potential Mitigations

Phase	Strategy	Description	Effectiveness	Notes
Implementation		The DTD or schema validation will not catch the duplicate occurrence of the same form name. To find the issue in the implementation, manual checks or automated static analysis could be applied to the xml configuration files.

Relationships

Related CWE	Type	View	Chain
CWE-102 ChildOf CWE-896	Category	CWE-888

Demonstrative Examples   (Details)

1. Two validation forms with the same name.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

Taxynomy	Id	Name	Fit
7 Pernicious Kingdoms		Struts: Duplicate Validation Forms

References:
None