- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
",t};e.buildCustomizationMenuUi=t;function n(e){let t='
",t}function s(e){let n=e.filter.currentValue||e.filter.defaultValue,t='${e.filter.label}
`,e.filter.options.forEach(s=>{let o=s.id===n;t+=``}),t+="${e.filter.label}
`,t+=`ID: csharp-security/xpath-injection
Language: C#
Severity: Error
Category: Security
CWE: 643
No description found
// test_noncompliant_xpath.cs
using System;
using System.Xml;
using Microsoft.AspNetCore.Mvc; // For context
public class VulnerableXPathController : Controller
{
// Noncompliant: Parameters concatenated directly
[HttpGet]
public IActionResult Authenticate(string user, string pass)
{
XmlDocument doc = new XmlDocument();
// Assume doc is loaded with some XML data here...
// doc.Load("users.xml");
// Vulnerable concatenation
String expression = "/users/user[@name='" + user + "' and @pass='" + pass + "']";
// Method call using the concatenated string
XmlNode userNode = doc.SelectSingleNode(expression); // Violation should be reported here
return Json(userNode != null);
}
// Noncompliant: Only one parameter concatenated
[HttpGet]
public IActionResult FindUser(string username)
{
XmlDocument doc = new XmlDocument();
// Assume doc is loaded...
string query = "//user[@id='" + username + "']/data"; // Vulnerable
XmlNodeList nodes = doc.SelectNodes(query); // Violation should be reported here
// Process nodes...
return Ok();
}
// Noncompliant: Concatenation inside the method call
[HttpGet]
public IActionResult FindUserDirect(string uid)
{
XmlDocument doc = new XmlDocument();
// Assume doc is loaded...
var node = doc.SelectSingleNode("/items/item[@uid='" + uid + "']"); // Violation here
return Json(node != null);
}
}
// test_compliant_xpath.cs
using System;
using System.Xml;
using Microsoft.AspNetCore.Mvc; // For context
using System.Text.RegularExpressions; // For validation example
public class SafeXPathController : Controller
{
// Compliant: Hardcoded XPath query
[HttpGet]
public IActionResult GetAdmins()
{
XmlDocument doc = new XmlDocument();
// Assume doc is loaded...
// Safe: Query is constant
String expression = "/users/user[@role='admin']";
XmlNodeList adminNodes = doc.SelectNodes(expression); // OK
// Process nodes...
return Ok();
}
}