Avoid non validated inputs

CRITICAL

Rule Definition
Input validation is required to secure an application. Moreover, the web interface is exposed to anyone. Non validating input may allow injecting arbitrary web script, HTML, SQL... Consequences can be severe, like erasing the content of a database. Only one invalidated input can be exploited by an attacker. JSF supports validators, which are responsible for making sure that the user enters an acceptable value. Each input control must be associated with one or more validators.

Remediation
Validate each input field through one of the three ways - at the UI component level, via validator methods in backing beans, or in validator classes. UI components generally handle simple validation, such as whether a value is required, or validation logic that's specific to the component itself (and therefore not usable with other components). Validator methods are useful when you need to validate one or more fields on a form (and you don't need to share that logic with other components). External validators are useful for generic cases like the length of a field or a number range; they are pluggable, which means you can attach one or more of them to any component.

Violation Code Sample

----> JSP file (1st sample: standard validation) <%@taglib prefix="f" uri="http://java.sun.com/jsf/core"%> <%@taglib prefix="h" uri="http://java.sun.com/jsf/html"%> <h:inputText id="age" value="#{UserRegistration.user.age}"> // VIOLATION </h:inputText> ----> JSP file (for 2nd, 3rd and 4th sample) <%@taglib prefix="f" uri="http://java.sun.com/jsf/core"%> <%@taglib prefix="h" uri="http://java.sun.com/jsf/html"%> <h:form id="create"> .... <h:inputText id="emailInput" value="#{registrationBean.email}/> // VIOLATION <h:commandButton id="submit" value="CreateEmail" action="#{registrationBean.createEmail}"/> .... </h:form> ---> faces-config.xml <faces-config> ... <managed-bean> <managed-bean-name>registrationBean</managed-bean-name> <managed-bean-class> com.sample.registrationBean </managed-bean-class> <managed-bean-scope>session</managed-bean-scope> </managed-bean> ... </faces-config> ---> RegistrationBean.java package com.sample; public class RegistrationBean { ... } }

Fixed Code Sample

-------------- 1st sample (standard validation) -------------- ----> JSP file <%@taglib prefix="f" uri="http://java.sun.com/jsf/core"%> <%@taglib prefix="h" uri="http://java.sun.com/jsf/html"%> <h:inputText id="age" value="#{UserRegistration.user.age}"> <f:validateLongRange maximum="150" minimum="0"/> </h:inputText> ----> jsf_core.tld <tag> <name>validateLongRange</name> <tag-class> com.sun.faces.taglib.jsf_core.ValidateLongRangeTag </tag-class> ... ----> ValidateLongRangeTag.java: public class ValidateLongRangeTag extends com.sun.faces.taglib.jsf_core.MaxMinValidatorTag { .... } ---> MaxMinValidatorTag.java: public class MaxMinValidatorTag extends javax.faces.webapp.ValidatorTag { ... } -------------- 2nd sample ( custom validation) -------------- ----> JSP file: <%@taglib prefix="f" uri="http://java.sun.com/jsf/core"%> <%@taglib prefix="h" uri="http://java.sun.com/jsf/html"%> <h:inputText id="emailInput" value="#{registrationBean.email}/> <f:validator validatorId="emailValidator"/> // FIXED </h:inputText> ----> faces-config.xml <faces-config> ... <validator> <validator-id>emailValidator</validator-id> <validator-class>com.sample.EmailValidator</validator-class> </validator> ... </faces-config> ----> EmailValidator.java package com.sample; public class EmailValidator implements javax.faces.validator.Validator { .... } -------------- 3rd sample ( validation in the backing bean) -------------- ----> JSP file: <h:inputText id="emailInput" validator="#{registrationBean.validateEmail}" // FIXED value="#{registrationBean.email}/> ----> faces-config.xml <faces-config> ... <managed-bean> <managed-bean-name>registrationBean</managed-bean-name> <managed-bean-class> com.sample.registrationBean </managed-bean-class> <managed-bean-scope>session</managed-bean-scope> </managed-bean> ... </faces-config> ----> RegistrationBean.java package com.sample; public class RegistrationBean { ... public void validateEmail(FacesContext context, UIComponent validate, Object value){ ... } }

Reference

Java Server Faces in Action ISBN 1-932394-11-7 p 44

Related Technologies
JEE

Health Factor

Total Quality Index

Technical Criterion
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

About CAST Appmarq

CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.

Benchmark Statistics

Global Compliance

13.84%

Total Violations

18,914

Total Opportunities

21,953

Average Violations / App.

450.33

The compliance score represents 1 minus the ratio between the number of times a rule has been violated compared to the number of opportunities in a set of applications that the rule could have been violated.

Industry Insights

Utilities

0.00%

Retail

7.00%

Manufacturing

27.75%

Want more stats? Register now!