This rule is designed to detect and prevent potential XPath Injection vulnerabilities in your C# code. XPath Injection is a type of attack where an attacker can manipulate the structure of an XPath query by injecting malicious input. This can lead to unauthorized data access or manipulation in XML databases or documents.
The importance of this rule lies in its ability to safeguard sensitive data and uphold the integrity of your application. If an attacker can control the structure of an XPath query, they could potentially access or manipulate data they should not have access to. This could lead to data breaches or unauthorized changes to your data.
How to remediate
Avoid constructing XPath queries using string concatenation with user-controlled data. Instead, consider safer alternatives, such as parameterized XPath queries or validating user input before including it in an XPath query. For example, you could use regular expressions to ensure the user input only contains characters you expect. If user input must be included in an XPath query, it should be properly escaped or encoded to prevent the input from being interpreted as XPath syntax.
Non-Compliant Code Examples
// test_noncompliant_xpath.csusingSystem;usingSystem.Xml;usingMicrosoft.AspNetCore.Mvc;// For contextpublicclassVulnerableXPathController:Controller{// Noncompliant: Parameters concatenated directly [HttpGet]publicIActionResultAuthenticate(stringuser,stringpass){XmlDocumentdoc=newXmlDocument();// Assume doc is loaded with some XML data here...// doc.Load("users.xml");// Vulnerable concatenationStringexpression="/users/user[@name='"+user+"' and @pass='"+pass+"']";// Method call using the concatenated stringXmlNodeuserNode=doc.SelectSingleNode(expression);// Violation should be reported herereturnJson(userNode!=null);}// Noncompliant: Only one parameter concatenated [HttpGet]publicIActionResultFindUser(stringusername){XmlDocumentdoc=newXmlDocument();// Assume doc is loaded...stringquery="//user[@id='"+username+"']/data";// VulnerableXmlNodeListnodes=doc.SelectNodes(query);// Violation should be reported here// Process nodes...returnOk();}// Noncompliant: Concatenation inside the method call [HttpGet]publicIActionResultFindUserDirect(stringuid){XmlDocumentdoc=newXmlDocument();// Assume doc is loaded...varnode=doc.SelectSingleNode("/items/item[@uid='"+uid+"']");// Violation herereturnJson(node!=null);}}
Compliant Code Examples
// test_compliant_xpath.csusingSystem;usingSystem.Xml;usingMicrosoft.AspNetCore.Mvc;// For contextusingSystem.Text.RegularExpressions;// For validation examplepublicclassSafeXPathController:Controller{// Compliant: Hardcoded XPath query [HttpGet]publicIActionResultGetAdmins(){XmlDocumentdoc=newXmlDocument();// Assume doc is loaded...// Safe: Query is constantStringexpression="/users/user[@role='admin']";XmlNodeListadminNodes=doc.SelectNodes(expression);// OK// Process nodes...returnOk();}}
シームレスな統合。 Datadog Code Security をお試しください
Datadog Code Security
このルールを試し、Datadog Code Security でコードを解析する
このルールの使用方法
1
2
rulesets:- csharp-security # Rules to enforce C# security.