Unsanitized User Input in XPath

Overview

• Rule ID: java_lang_xpath_injection

• Applicable Languages: Java

• Weakness ID: CWE-643

Description

Using unsanitized user input in XPath expressions can lead to XPath injection, allowing attackers to gain unauthorized access to sensitive information in XML documents. Ensure that all variables passed into XPath evaluation or compilation commands are properly sanitized.

Remediation Guidelines

• Sanitize user input before including it in XPath queries to prevent XPath injection. This ensures that input values cannot alter the query structure.

  Copy

  public class Cls extends HttpServlet
    {
       public void handleRequest(HttpServletRequest request, HttpServletResponse response)
          {
              String userID = request.getParameter("userID");
              String sanitizedUserID = sanitize(userID); // Ensure sanitization
  
              javax.xml.xpath.XPathFactory xpf = javax.xml.xpath.XPathFactory.newInstance();
              javax.xml.xpath.XPath xp = xpf.newXPath();
  
              String expression = "/Users/User[@userID='" + sanitizedUserID + "']";
              String result = xp.evaluate(expression, xmlDocument);
          }
    }
  

• Do not directly concatenate or embed unsanitized user inputs into XPath expressions. This practice can lead to XPath injection vulnerabilities.

References

• XPATH Injection

• CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')

• OWASP Top 10: A03:2021 - Injection

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL