This page is not yet available in Spanish. We are working on its translation. If you have any questions or feedback about our current translation project, feel free to reach out to us!
// test_noncompliant_xpath.csusingSystem;usingSystem.Xml;usingMicrosoft.AspNetCore.Mvc;// For contextpublicclassVulnerableXPathController:Controller{// Noncompliant: Parameters concatenated directly [HttpGet]publicIActionResultAuthenticate(stringuser,stringpass){XmlDocumentdoc=newXmlDocument();// Assume doc is loaded with some XML data here...// doc.Load("users.xml");// Vulnerable concatenationStringexpression="/users/user[@name='"+user+"' and @pass='"+pass+"']";// Method call using the concatenated stringXmlNodeuserNode=doc.SelectSingleNode(expression);// Violation should be reported herereturnJson(userNode!=null);}// Noncompliant: Only one parameter concatenated [HttpGet]publicIActionResultFindUser(stringusername){XmlDocumentdoc=newXmlDocument();// Assume doc is loaded...stringquery="//user[@id='"+username+"']/data";// VulnerableXmlNodeListnodes=doc.SelectNodes(query);// Violation should be reported here// Process nodes...returnOk();}// Noncompliant: Concatenation inside the method call [HttpGet]publicIActionResultFindUserDirect(stringuid){XmlDocumentdoc=newXmlDocument();// Assume doc is loaded...varnode=doc.SelectSingleNode("/items/item[@uid='"+uid+"']");// Violation herereturnJson(node!=null);}}
Compliant Code Examples
// test_compliant_xpath.csusingSystem;usingSystem.Xml;usingMicrosoft.AspNetCore.Mvc;// For contextusingSystem.Text.RegularExpressions;// For validation examplepublicclassSafeXPathController:Controller{// Compliant: Hardcoded XPath query [HttpGet]publicIActionResultGetAdmins(){XmlDocumentdoc=newXmlDocument();// Assume doc is loaded...// Safe: Query is constantStringexpression="/users/user[@role='admin']";XmlNodeListadminNodes=doc.SelectNodes(expression);// OK// Process nodes...returnOk();}}
Integraciones sin problemas. Prueba Datadog Code Security
Datadog Code Security
Prueba esta regla y analiza tu código con Datadog Code Security
Cómo usar esta regla
1
2
rulesets:- csharp-security # Rules to enforce C# security.
Crea un static-analysis.datadog.yml con el contenido anterior en la raíz de tu repositorio
Utiliza nuestros complementos del IDE gratuitos o añade análisis de Code Security a tus pipelines de CI.