contrib.nodejsscan.xpathi_node.node_xpath_injection

profile photo of returntocorpreturntocorp
Author
99
Download Count*
GPLv3
License

User controlled data in xpath.parse() can result in XPATH injection vulnerability.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: node_xpath_injection
    patterns:
      - pattern-either:
          - pattern-inside: function ($REQ, $RES, ...) {...}
          - pattern-inside: function $FUNC($REQ, $RES, ...) {...}
          - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...}
          - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...};
          - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...})
      - pattern-either:
          - pattern: |
              $XPATH.parse(<... "=~/[\/\/].+/" + $REQ.$QUERY.$VAR ...>, ...)
          - pattern: |
              $XPATH.parse(<... "=~/[\/\/].+/" + $REQ.$PARAM ...>, ...)
          - pattern: |
              $XPATH.parse(<... "=~/[\/\/].+/" + $REQ.$PARAM["..."] ...>, ...)
          - pattern: |
              $XPATH.parse(<... "=~/[\/\/].+/" + $REQ.$PARAM("...") ...>, ...)
          - pattern: |
              $XPATH.parse(<... "=~/[\/\/].+/" + $REQ["..."] ...>, ...)
          - pattern: |
              $XPATH.parse(<... "=~/[\/\/].+/" + $REQ("...") ...>, ...)
          - pattern: |
              $INP = <... $REQ.$QUERY.$VAR ...>;
              ...
              $XPATH.parse(<... "=~/[\/\/].+/" + $INP ...>, ...);
          - pattern: |
              $INP = <... $REQ.$PARAM ...>;
              ...
              $XPATH.parse(<... "=~/[\/\/].+/" + $INP ...>, ...);
          - pattern: |
              $INP = <... $REQ.$PARAM["..."] ...>;
              ...
              $XPATH.parse(<... "=~/[\/\/].+/" + $INP ...>, ...);
          - pattern: |
              $INP = <... $REQ.$PARAM("...") ...>;
              ...
              $XPATH.parse(<... "=~/[\/\/].+/" + $INP ...>, ...);
          - pattern: |
              $INP = <... $REQ["..."] ...>;
              ...
              $XPATH.parse(<... "=~/[\/\/].+/" + $INP ...>, ...);
          - pattern: |
              $INP = <... $REQ("...") ...>;
              ...
              $XPATH.parse(<... "=~/[\/\/].+/" + $INP ...>, ...);
    message: User controlled data in xpath.parse() can result in XPATH injection
      vulnerability.
    languages:
      - javascript
    severity: ERROR
    metadata:
      owasp: A01:2017 - Injection
      cwe: "CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath
        Injection')"
      category: security
      technology:
        - node.js
        - express
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

xpathi_node.js

var xpath = require('xpath');
var express = require('express');

var app = express();

app.get('/xpath', function (req, res) {
    // ruleid:node_xpath_injection
    var expr = xpath.parse("//persons/user[name/text()='" + req.param("name") + "']/details/text()");
    // ruleid:node_xpath_injection
    expr = xpath.parse("//persons/user[name/text()='" + req.param.name + "']/details/text()");
    // ruleid:node_xpath_injection
    expr = xpath.parse("//persons/user[name/text()='" + req["name"] + "']/details/text()");
    // ruleid:node_xpath_injection
    var foo = req.param;
    expr = xpath.parse("//persons/user[name/text()='" + foo + "']/details/text()");
    //do not match
    expr = JSON.parse("{'foo':" + req.param + "}");
    res.redirect('/home')
});