Detect an XPath input from an HTTP request

문서 > Datadog 보안 > Code Security > Static Code Analysis (SAST) > SAST Rules > Detect an XPath input from an HTTP request

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

ID: csharp-security/xpath-injection

Language: C#

Severity: Error

Category: Security

CWE: 643

Description

No description found

Non-Compliant Code Examples

// test_noncompliant_xpath.cs
using System;
using System.Xml;
using Microsoft.AspNetCore.Mvc; // For context

public class VulnerableXPathController : Controller
{
    // Noncompliant: Parameters concatenated directly
    [HttpGet]
    public IActionResult Authenticate(string user, string pass)
    {
        XmlDocument doc = new XmlDocument();
        // Assume doc is loaded with some XML data here...
        // doc.Load("users.xml");

        // Vulnerable concatenation
        String expression = "/users/user[@name='" + user + "' and @pass='" + pass + "']";

        // Method call using the concatenated string
        XmlNode userNode = doc.SelectSingleNode(expression); // Violation should be reported here

        return Json(userNode != null);
    }

    // Noncompliant: Only one parameter concatenated
    [HttpGet]
    public IActionResult FindUser(string username)
    {
        XmlDocument doc = new XmlDocument();
        // Assume doc is loaded...

        string query = "//user[@id='" + username + "']/data"; // Vulnerable

        XmlNodeList nodes = doc.SelectNodes(query); // Violation should be reported here

        // Process nodes...
        return Ok();
    }

    // Noncompliant: Concatenation inside the method call
    [HttpGet]
    public IActionResult FindUserDirect(string uid)
    {
         XmlDocument doc = new XmlDocument();
         // Assume doc is loaded...

         var node = doc.SelectSingleNode("/items/item[@uid='" + uid + "']"); // Violation here

         return Json(node != null);
    }
}

Compliant Code Examples

// test_compliant_xpath.cs
using System;
using System.Xml;
using Microsoft.AspNetCore.Mvc; // For context
using System.Text.RegularExpressions; // For validation example

public class SafeXPathController : Controller
{
    // Compliant: Hardcoded XPath query
    [HttpGet]
    public IActionResult GetAdmins()
    {
        XmlDocument doc = new XmlDocument();
        // Assume doc is loaded...

        // Safe: Query is constant
        String expression = "/users/user[@role='admin']";
        XmlNodeList adminNodes = doc.SelectNodes(expression); // OK

        // Process nodes...
        return Ok();
    }
}