Required validation can be bypassed

Description

We can by adding square brackets, [], to the end of a input name send in a empty value for a input that has "required" validation set.

Example:
We have a variable that is required:
@Validate(required=true) private double numberOne;

We send in the input, with added [] to the name, without any value to it:
numberOne[]

No other validation will be triggered since there is no value.

The cause seem to be that we are allowed to send in a empty array through how the strippedName function works.
It will only check for the presence of brackets however no validation is done that an index exists.
After that it will be validated as an array element, but since we do not have any elements in the array there is nothing to validate.
The effect of this is that the variable annotated as required no longer is required, and will receive the standard value.

This can create a wide array of unintended behavoirs. It also have security implications if a "required" value was used to manually validate something in a function and fail-to-success if the value is not present.

Further example:

Action:
POST /examples.action HTTP/1.1
/../
Connection: close
numberOne=10

Result:

HTTP/1.1 200 OK

Ok!

-

Action:
POST /examples.action HTTP/1.1
/../
Connection: close
numberOne=

Result:

HTTP/1.1 200 OK

Number One is a required field

-

Action:
POST /examples.action HTTP/1.1
/../
Connection: close
numberOne[]=

Result:

HTTP/1.1 200 OK

Ok!

Environment

None

Status

Assignee

Unassigned

Reporter

Mikael Wecksten

Labels

None

Tester

None

Components

Affects versions

Release 1.5.8
Release 1.6

Priority

Major
Configure