Detect an XPath input from an HTTP request

Docs > Plateforme de sécurité Datadog > Code Security > Static Code Analysis (SAST) > SAST Rules > Detect an XPath input from an HTTP request

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

ID: csharp-security/xpath-injection

Language: C#

Severity: Error

Category: Security

CWE: 643

Description

No description found

Non-Compliant Code Examples

// test_noncompliant_xpath.cs
using System;
using System.Xml;
using Microsoft.AspNetCore.Mvc; // For context

public class VulnerableXPathController : Controller
{
    // Noncompliant: Parameters concatenated directly
    [HttpGet]
    public IActionResult Authenticate(string user, string pass)
    {
        XmlDocument doc = new XmlDocument();
        // Assume doc is loaded with some XML data here...
        // doc.Load("users.xml");

        // Vulnerable concatenation
        String expression = "/users/user[@name='" + user + "' and @pass='" + pass + "']";

        // Method call using the concatenated string
        XmlNode userNode = doc.SelectSingleNode(expression); // Violation should be reported here

        return Json(userNode != null);
    }

    // Noncompliant: Only one parameter concatenated
    [HttpGet]
    public IActionResult FindUser(string username)
    {
        XmlDocument doc = new XmlDocument();
        // Assume doc is loaded...

        string query = "//user[@id='" + username + "']/data"; // Vulnerable

        XmlNodeList nodes = doc.SelectNodes(query); // Violation should be reported here

        // Process nodes...
        return Ok();
    }

    // Noncompliant: Concatenation inside the method call
    [HttpGet]
    public IActionResult FindUserDirect(string uid)
    {
         XmlDocument doc = new XmlDocument();
         // Assume doc is loaded...

         var node = doc.SelectSingleNode("/items/item[@uid='" + uid + "']"); // Violation here

         return Json(node != null);
    }
}

Compliant Code Examples

// test_compliant_xpath.cs
using System;
using System.Xml;
using Microsoft.AspNetCore.Mvc; // For context
using System.Text.RegularExpressions; // For validation example

public class SafeXPathController : Controller
{
    // Compliant: Hardcoded XPath query
    [HttpGet]
    public IActionResult GetAdmins()
    {
        XmlDocument doc = new XmlDocument();
        // Assume doc is loaded...

        // Safe: Query is constant
        String expression = "/users/user[@role='admin']";
        XmlNodeList adminNodes = doc.SelectNodes(expression); // OK

        // Process nodes...
        return Ok();
    }
}