csharp.dotnet.security.audit.xpath-injection.xpath-injection

profile photo of returntocorpreturntocorp
Author
unknown
Download Count*

XPath queries are constructed dynamically on user-controlled input. This vulnerability in code could lead to an XPath Injection exploitation.

Run Locally

Run in CI

Defintion

rules:
  - id: xpath-injection
    message: XPath queries are constructed dynamically on user-controlled input.
      This vulnerability in code could lead to an XPath Injection exploitation.
    severity: ERROR
    metadata:
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      category: security
      cwe:
        - "CWE-643: Improper Neutralization of Data within XPath Expressions
          ('XPath Injection')"
      owasp:
        - A03:2021 - Injection
      references:
        - https://owasp.org/Top10/A03_2021-Injection/
        - https://cwe.mitre.org/data/definitions/643.html
      subcategory:
        - vuln
      technology:
        - .net
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - csharp
    mode: taint
    pattern-sources:
      - pattern-either:
          - pattern: $T $M($INPUT,...) {...}
          - pattern: |
              $T $M(...) {
                ...
                string $INPUT
              }
    pattern-sinks:
      - pattern-either:
          - pattern: XPathExpression $EXPR = $NAV.Compile("..." + $INPUT + "...");
          - pattern: var $EXPR = $NAV.Compile("..." + $INPUT + "...");
          - pattern: XPathNodeIterator $NODE = $NAV.Select("..." + $INPUT + "...");
          - pattern: var $NODE = $NAV.Select("..." + $INPUT + "...");
          - pattern: Object $OBJ = $NAV.Evaluate("..." + $INPUT + "...");
          - pattern: var $OBJ = $NAV.Evaluate("..." + $INPUT + "...");

Examples

xpath-injection.cs

public List<Knowledge> Search(string input)
{
    List<Knowledge> searchResult = new List<Knowledge>();
    var webRoot = _env.WebRootPath;
    var file = System.IO.Path.Combine(webRoot,"Knowledgebase.xml");
    
    XmlDocument XmlDoc = new XmlDocument();
    XmlDoc.Load(file);    
    
    XPathNavigator nav = XmlDoc.CreateNavigator();
    // ruleid: xpath-injection
    XPathExpression expr = nav.Compile(@"//knowledge[tags[contains(text(),'" + input + "')] and sensitivity/text() ='Public']");
}

public List<Knowledge> Search(string input)
{
    List<Knowledge> searchResult = new List<Knowledge>();
    //string input;
    var webRoot = _env.WebRootPath;
    var file = System.IO.Path.Combine(webRoot,"Knowledgebase.xml");
    
    XmlDocument XmlDoc = new XmlDocument();
    XmlDoc.Load(file);    
    
    XPathNavigator nav = XmlDoc.CreateNavigator();
    // ok: xpath-injection
    XPathExpression expr = nav.Compile(@"//knowledge[tags[contains(text(),'keyword')] and sensitivity/text() ='Public']");
    
    var matchedNodes = nav.Select(expr);
}