CWE-104 Struts Form Bean Without Validation
What this means
SiteShadow flagged a "form object" / request model being used without proper server-side validation. While the CWE name references Struts, the core issue applies to any framework: unvalidated form fields flow into business logic and sensitive sinks.
Why it matters
Unvalidated form input can lead to injection or logic issues.
- Injection: unvalidated fields reach SQL/LDAP/XPath/template sinks (see
CWE-89/CWE-90/CWE-91). - Auth/business logic abuse: users submit values they shouldn't control (roles, prices, state) (see
CWE-642/B01). - DoS and crashes: unexpected shapes/lengths trigger errors (see
CWE-20/E01).
Safer examples
1) Validate request bodies with a schema (JavaScript/TypeScript)
import { z } from "zod";
const Schema = z.object({
email: z.string().email(),
quantity: z.number().int().min(1).max(100),
});
const data = Schema.parse(req.body);2) Validate required fields and ranges (Python)
import re
if not re.fullmatch(r"[^@]+@[^@]+\.[^@]+", email):
raise ValueError("Invalid email")
if quantity < 1 or quantity > 100:
raise ValueError("Invalid quantity")3) Recompute sensitive values server-side
Don't accept role/price/state from forms; compute them from trusted server state (see CWE-454 / CWE-642).
How SiteShadow detects it (high level)
- Detects request/form objects used in downstream sensitive operations without validation/allowlists.
- Flags missing schema checks near endpoints that mutate state, query data, or call external systems.
References
- CWE-104: https://cwe.mitre.org/data/definitions/104.html
---