SEC-INJECTION-xpath
Synopsis
User input is improperly used as an XPath expression.
Enabled by default
No
Severity/Certainty
Medium/Medium
Full description
An XPath expression is constructed either entirely or partially from user input. User input used in XPath expressions must be sanitized before used. An attacker could provide input to expose the structure of the XML document, or acccess fields they normally do not have access to. Unlike databases there is no level access control, so an attacker can access the entire document. This check supports the following C/C++ libraries for XPath: * libxml2 * Xerces * MSXML * libxml++ * TinyXPath * libroxml * pugixml User input should be checked through string comparison or similar before being used in an XPath query.
Coding standards
- CWE 91
XML Injection (aka Blind XPath Injection)
Code examples
The following code example fails the check and will give a warning:
#include <string.h>
void example(void * xml) {
char *name;
char *xpath;
name = gets(name);
strcpy(xpath, "children::*[@name = '");
strcat(xpath, name);
strcat(xpath, "'");
xmlXPathEval(xml, xpath);
}
The following code example passes the check and will not give a warning about this issue:
#include <string.h>
void example(void * xml, char *name) {
char *xpath;
strcpy(xpath, "children::*[@name = '");
strcat(xpath, name);
strcat(xpath, "'");
xmlXPathEval(xml, xpath);
}