This vulnerability exposes the application to failures of a wide range of application-specific features the Strut filter was supposed to perform, such as authentication, logging, encryption, and more.
Filters are used to intercept requests and responses from a server and allow developers to manipulate them. When a filter is declared,
but the corresponding filter assignment is inadvertently not, then the code is vulnerable to security problems or business logic
instability.
If a filter is defined in the web application descriptor file web.xml but is not used in a "filter mapping", this is an indication
that it may have been forgotten.
If a filter is not used in a <filter-mapping> element, it will not be called. Below are some examples of the impact of this
oversight.
One of the main uses of Struts filters is to provide security measures such as authentication and authorization. If a filter is forgotten in the filter mappings, unauthorized users could gain access to sensitive data or perform actions that they are not authorized to perform.
Filters can also be used to modify requests and responses, format data, or even handle errors. If these features are not included in the filter mappings, they may not work as expected, resulting in a poor user experience or even application crash.
Some filters are designed to improve the performance of your application, such as those that implement caching strategies. If these are not mapped, you may experience slow response times or increased server load on your application.
<filter>
<filter-name>ValidationFilter</filter-name> <!-- Noncompliant -->
<filter-class>com.myco.servlet.ValidationFilter</filter-class>
</filter>
<filter>
<filter-name>ValidationFilter</filter-name>
<filter-class>com.myco.servlet.ValidationFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ValidationFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>