Unsanitized user input in XPath

• Rule ID: java_lang_xpath_injection
• Languages: java
• Source: xpath_injection.yml

Description

Using unsanitized user input in XPath expressions can lead to XPath injection, whereby attackers can gain unauthorized access to sensitive information in XML documents. Ensure all variables passed into XPath evaluate or compile commands are properly sanitized.

Remediations

• Do sanitize user input before incorporating it into XPath queries. This prevents XPath injection by ensuring that input values cannot manipulate the query structure.

  public class Cls extends HttpServlet
  {
      public void handleRequest(HttpServletRequest request, HttpServletResponse response)
      {
          String userID = request.getParameter("userID");
          String sanitizedUserID = sanitize(userID); // Ensure sanitization
  
          javax.xml.xpath.XPathFactory xpf = javax.xml.xpath.XPathFactory.newInstance();
          javax.xml.xpath.XPath xp = xpf.newXPath();
  
          String expression = "/Users/User[@userID='" + sanitizedUserID + "']";
          String result = xp.evaluate(expression, xmlDocument);
      }
  }

• Do not directly concatenate or embed unsanitized user inputs into XPath expressions. This practice can lead to XPath injection vulnerabilities.

References

• XPATH Injection

Associated CWE

• CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')

OWASP Top 10

• A03:2021 - Injection

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_xpath_injection

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_xpath_injection