Having two form validation entries with the same name indicates a configuration issue. Only one of the two configurations will be applied, which can lead to validation gaps.

Why is this an issue?

In Struts, form validation is used to validate the data the application’s clients provide as part of a form submission to the server. Configuring two different form validations with the same name leads to unexpected behaviors.

When faced with multiple form validations with the same name, Struts will arbitrarily choose one and apply it while discarding the others.

What is the potential impact?

The application might perform an incomplete validation of user-submitted forms. Some parts of the validation configuration defined in discarded items will not apply, which can have severe consequences if not duplicated in the applied one.

Missing input validation can make the application vulnerable to injection attacks or other severe issues. They might affect the confidentiality, integrity, or availability of the application or the data it stores.

How to fix it

Code examples

Noncompliant code example

<form-validation>
  <formset>
    <form name="BookForm"> ... </form>
    <form name="BookForm"> ... </form>  <!-- Noncompliant -->
  </formset>
</form-validation>

Compliant solution

<form-validation>
  <formset>
    <form name="BookForm"> ... </form>
  </formset>
</form-validation>

How does this work?

Only one validation configuration should remain. Depending on what was previously configured, one should either remove the useless validation entries or merge all of them into a single complete one.

Resources

Standards

• CWE - CWE-102 - Struts: Duplicate Validation Forms

Documentation

• Struts Documentation - Struts Validator
• OWASP - Improper Data Validation