Cette page n'est pas encore disponible en français, sa traduction est en cours. Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.
// test_noncompliant_xpath.csusingSystem;usingSystem.Xml;usingMicrosoft.AspNetCore.Mvc;// For contextpublicclassVulnerableXPathController:Controller{// Noncompliant: Parameters concatenated directly [HttpGet]publicIActionResultAuthenticate(stringuser,stringpass){XmlDocumentdoc=newXmlDocument();// Assume doc is loaded with some XML data here...// doc.Load("users.xml");// Vulnerable concatenationStringexpression="/users/user[@name='"+user+"' and @pass='"+pass+"']";// Method call using the concatenated stringXmlNodeuserNode=doc.SelectSingleNode(expression);// Violation should be reported herereturnJson(userNode!=null);}// Noncompliant: Only one parameter concatenated [HttpGet]publicIActionResultFindUser(stringusername){XmlDocumentdoc=newXmlDocument();// Assume doc is loaded...stringquery="//user[@id='"+username+"']/data";// VulnerableXmlNodeListnodes=doc.SelectNodes(query);// Violation should be reported here// Process nodes...returnOk();}// Noncompliant: Concatenation inside the method call [HttpGet]publicIActionResultFindUserDirect(stringuid){XmlDocumentdoc=newXmlDocument();// Assume doc is loaded...varnode=doc.SelectSingleNode("/items/item[@uid='"+uid+"']");// Violation herereturnJson(node!=null);}}
Compliant Code Examples
// test_compliant_xpath.csusingSystem;usingSystem.Xml;usingMicrosoft.AspNetCore.Mvc;// For contextusingSystem.Text.RegularExpressions;// For validation examplepublicclassSafeXPathController:Controller{// Compliant: Hardcoded XPath query [HttpGet]publicIActionResultGetAdmins(){XmlDocumentdoc=newXmlDocument();// Assume doc is loaded...// Safe: Query is constantStringexpression="/users/user[@role='admin']";XmlNodeListadminNodes=doc.SelectNodes(expression);// OK// Process nodes...returnOk();}}
Seamless integrations. Try Datadog Code Security
Datadog Code Security
Try this rule and analyze your code with Datadog Code Security
How to use this rule
1
2
rulesets:- csharp-security # Rules to enforce C# security.
Create a static-analysis.datadog.yml with the content above at the root of your repository
Use our free IDE Plugins or add Code Security scans to your CI pipelines