csharp.dotnet.security.audit.xpath-injection.xpath-injection
semgrep
Author
unknown
Download Count*
License
XPath queries are constructed dynamically on user-controlled input. This vulnerability in code could lead to an XPath Injection exploitation.
Run Locally
Run in CI
Defintion
rules:
- id: xpath-injection
message: XPath queries are constructed dynamically on user-controlled input.
This vulnerability in code could lead to an XPath Injection exploitation.
severity: ERROR
metadata:
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
category: security
cwe:
- "CWE-643: Improper Neutralization of Data within XPath Expressions
('XPath Injection')"
owasp:
- A03:2021 - Injection
references:
- https://owasp.org/Top10/A03_2021-Injection/
- https://cwe.mitre.org/data/definitions/643.html
subcategory:
- vuln
technology:
- .net
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- XPath Injection
languages:
- csharp
mode: taint
pattern-sources:
- pattern-either:
- pattern: $T $M($INPUT,...) {...}
- pattern: |
$T $M(...) {
...
string $INPUT;
}
pattern-sinks:
- pattern-either:
- pattern: XPathExpression $EXPR = $NAV.Compile("..." + $INPUT + "...");
- pattern: var $EXPR = $NAV.Compile("..." + $INPUT + "...");
- pattern: XPathNodeIterator $NODE = $NAV.Select("..." + $INPUT + "...");
- pattern: var $NODE = $NAV.Select("..." + $INPUT + "...");
- pattern: Object $OBJ = $NAV.Evaluate("..." + $INPUT + "...");
- pattern: var $OBJ = $NAV.Evaluate("..." + $INPUT + "...");
Examples
xpath-injection.cs
public List<Knowledge> Search(string input)
{
List<Knowledge> searchResult = new List<Knowledge>();
var webRoot = _env.WebRootPath;
var file = System.IO.Path.Combine(webRoot,"Knowledgebase.xml");
XmlDocument XmlDoc = new XmlDocument();
XmlDoc.Load(file);
XPathNavigator nav = XmlDoc.CreateNavigator();
// ruleid: xpath-injection
XPathExpression expr = nav.Compile(@"//knowledge[tags[contains(text(),'" + input + "')] and sensitivity/text() ='Public']");
}
public List<Knowledge> Search(string input)
{
List<Knowledge> searchResult = new List<Knowledge>();
//string input;
var webRoot = _env.WebRootPath;
var file = System.IO.Path.Combine(webRoot,"Knowledgebase.xml");
XmlDocument XmlDoc = new XmlDocument();
XmlDoc.Load(file);
XPathNavigator nav = XmlDoc.CreateNavigator();
// ok: xpath-injection
XPathExpression expr = nav.Compile(@"//knowledge[tags[contains(text(),'keyword')] and sensitivity/text() ='Public']");
var matchedNodes = nav.Select(expr);
}
Short Link: https://sg.run/4KP7