Detect an XPath input from an HTTP request

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Metadata

ID: csharp-security/xpath-injection

Language: C#

Severity: Error

Category: Security

CWE: 643

Description

No description found

Non-Compliant Code Examples

// test_noncompliant_xpath.cs
using System;
using System.Xml;
using Microsoft.AspNetCore.Mvc; // For context

public class VulnerableXPathController : Controller
{
    // Noncompliant: Parameters concatenated directly
    [HttpGet]
    public IActionResult Authenticate(string user, string pass)
    {
        XmlDocument doc = new XmlDocument();
        // Assume doc is loaded with some XML data here...
        // doc.Load("users.xml");

        // Vulnerable concatenation
        String expression = "/users/user[@name='" + user + "' and @pass='" + pass + "']";

        // Method call using the concatenated string
        XmlNode userNode = doc.SelectSingleNode(expression); // Violation should be reported here

        return Json(userNode != null);
    }

    // Noncompliant: Only one parameter concatenated
    [HttpGet]
    public IActionResult FindUser(string username)
    {
        XmlDocument doc = new XmlDocument();
        // Assume doc is loaded...

        string query = "//user[@id='" + username + "']/data"; // Vulnerable

        XmlNodeList nodes = doc.SelectNodes(query); // Violation should be reported here

        // Process nodes...
        return Ok();
    }

    // Noncompliant: Concatenation inside the method call
    [HttpGet]
    public IActionResult FindUserDirect(string uid)
    {
         XmlDocument doc = new XmlDocument();
         // Assume doc is loaded...

         var node = doc.SelectSingleNode("/items/item[@uid='" + uid + "']"); // Violation here

         return Json(node != null);
    }
}

Compliant Code Examples

// test_compliant_xpath.cs
using System;
using System.Xml;
using Microsoft.AspNetCore.Mvc; // For context
using System.Text.RegularExpressions; // For validation example

public class SafeXPathController : Controller
{
    // Compliant: Hardcoded XPath query
    [HttpGet]
    public IActionResult GetAdmins()
    {
        XmlDocument doc = new XmlDocument();
        // Assume doc is loaded...

        // Safe: Query is constant
        String expression = "/users/user[@role='admin']";
        XmlNodeList adminNodes = doc.SelectNodes(expression); // OK

        // Process nodes...
        return Ok();
    }
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Integraciones sin problemas. Prueba Datadog Code Security

Datadog Code Security
PREVIEWING: yuqing.bian/fix-sources-searchterm