Detect an XPath input from an HTTP request

문서 > Datadog 보안 > Code Security > Static Code Analysis (SAST) > SAST 규칙 > Detect an XPath input from an HTTP request

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

ID: java-security/tainted-xpath

Language: Java

Severity: Warning

Category: Security

CWE: 643

Description

This rule identifies potential security vulnerabilities in your code where an XPath expression may be influenced by data coming from an HTTP request. This could lead to what is known as an XPath Injection attack, where an attacker could manipulate the XPath query to access unauthorized data, or potentially cause other harmful effects.

This rule is crucial because XPath Injection is a severe security risk, similar to SQL Injection. If an attacker can control part of an XPath query, they can alter the query’s logic, leading to unauthorized access or exposure to sensitive data.

Never construct XPath queries using string concatenation with unvalidated input. Instead, always use parameterized queries or sanitize the input before using it in an XPath query. If possible, limit the XPath functionality that your application uses to reduce the attack surface. You can also use APIs that automatically protect against XPath Injection, or use a web application firewall to detect and block attack attempts.

Non-Compliant Code Examples

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.xpath.XPathFactory;
import javax.xml.xpath.XPath;

public class NonCompliant {
    public void doPost(HttpServletRequest request, HttpServletResponse response) {
        String param = "<default>";
        java.util.Enumeration<String> headers = request.getHeaders("X-Some-Header");

        if (headers != null && headers.hasMoreElements()) {
            param = headers.nextElement();
        }

        param = java.net.URLDecoder.decode(param, "UTF-8");

        XPathFactory xpf = XPathFactory.newInstance();
        XPath xp = xpf.newXPath();

        String expression = "/Employees/Employee[@emplid='" + param + "']";
        xp.compile(expression).evaluate(xmlDocument);
    }
}

import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestHeader;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class NonCompliant2 {

    @PostMapping("/")
    public void handlePost(@RequestHeader("X-Some-Header") String headerValue) {
        XPathFactory xpf = XPathFactory.newInstance();
        XPath xp = xpf.newXPath();

        String expression = "/Employees/Employee[@emplid='" + headerValue + "']";
        xp.compile(expression).evaluate(xmlDocument);
    }
}

Compliant Code Examples

import javax.xml.xpath.XPathFactory;
import javax.xml.xpath.XPath;

public class Compliant {
    public void searchXml() {
        XPathFactory xpf = XPathFactory.newInstance();
        XPath xp = xpf.newXPath();
        // Safe: using hardcoded XPath expression without user input
        String expression = "/Employees/Employee[@emplid='12345']";
        xp.compile(expression);
    }
}