Unsanitized user input in XPath

• Rule ID: python_lang_xpath_injection
• Languages: python
• Source: xpath_injection.yml

Description

Unsanitized user input in XPath expressions can result in XPath injection. This vulnerability occurs when user input is directly used in XPath queries without proper sanitation, potentially granting unauthorized access to sensitive data within XML documents.

Remediations

• Do not directly use user input in XPath expressions. This can lead to XPath injection vulnerabilities.
• Do sanitize user input before including it in XPath queries. Ensure that any data derived from user input is properly cleaned to prevent injection attacks.
• Do use parameterized queries wherever possible, to ensure that user input is treated as a literal value and not executable code.
• Do prefer defusedxml.lxml module as it is a more secure XML module that offers in-built protections against XML-related attacks including XPath injection.

References

• XPath Injection
• defusedxml Package

Associated CWE

• CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')

OWASP Top 10

• A03:2021 - Injection

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=python_lang_xpath_injection

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=python_lang_xpath_injection