XPath injection¶
ID: java/xml/xpath-injectionKind: path-problemSecurity severity: 9.8Severity: errorPrecision: highTags: - security - external/cwe/cwe-643Query suites: - java-code-scanning.qls - java-security-extended.qls - java-security-and-quality.qls
Click to see the query in the CodeQL repository
If an XPath expression is built using string concatenation, and the components of the concatenation include user input, it makes it very easy for a user to create a malicious XPath expression.
Recommendation¶
If user input must be included in an XPath expression, either sanitize the data or pre-compile the query and use variable references to include the user input.
XPath injection can also be prevented by using XQuery.
Example¶
In the first three examples, the code accepts a name and password specified by the user, and uses this unvalidated and unsanitized value in an XPath expression. This is vulnerable to the user providing special characters or string sequences that change the meaning of the XPath expression to search for different values.
In the fourth example, the code usessetXPathVariableResolver which prevents XPath injection.
The final two examples are for dom4j. They show an example of XPath injection and one method of preventing it.
finalStringxmlStr="<users>"+" <user name=\"aaa\" pass=\"pass1\"></user>"+" <user name=\"bbb\" pass=\"pass2\"></user>"+"</users>";try{DocumentBuilderFactorydomFactory=DocumentBuilderFactory.newInstance();domFactory.setNamespaceAware(true);DocumentBuilderbuilder=domFactory.newDocumentBuilder();//Document doc = builder.parse("user.xml");Documentdoc=builder.parse(newInputSource(newStringReader(xmlStr)));XPathFactoryfactory=XPathFactory.newInstance();XPathxpath=factory.newXPath();// Injectable dataStringuser=request.getParameter("user");Stringpass=request.getParameter("pass");if(user!=null&&pass!=null){booleanisExist=false;// Bad expressionStringexpression1="/users/user[@name='"+user+"' and @pass='"+pass+"']";isExist=(boolean)xpath.evaluate(expression1,doc,XPathConstants.BOOLEAN);System.out.println(isExist);// Bad expressionXPathExpressionexpression2=xpath.compile("/users/user[@name='"+user+"' and @pass='"+pass+"']");isExist=(boolean)expression2.evaluate(doc,XPathConstants.BOOLEAN);System.out.println(isExist);// Bad expressionStringBuffersb=newStringBuffer("/users/user[@name=");sb.append(user);sb.append("' and @pass='");sb.append(pass);sb.append("']");Stringquery=sb.toString();XPathExpressionexpression3=xpath.compile(query);isExist=(boolean)expression3.evaluate(doc,XPathConstants.BOOLEAN);System.out.println(isExist);// Good expressionStringexpression4="/users/user[@name=$user and @pass=$pass]";xpath.setXPathVariableResolver(v->{switch(v.getLocalPart()){case"user":returnuser;case"pass":returnpass;default:thrownewIllegalArgumentException();}});isExist=(boolean)xpath.evaluate(expression4,doc,XPathConstants.BOOLEAN);System.out.println(isExist);// Bad Dom4jorg.dom4j.io.SAXReaderreader=neworg.dom4j.io.SAXReader();org.dom4j.Documentdocument=reader.read(newInputSource(newStringReader(xmlStr)));isExist=document.selectSingleNode("/users/user[@name='"+user+"' and @pass='"+pass+"']")!=null;// or document.selectNodesSystem.out.println(isExist);// Good Dom4jorg.jaxen.SimpleVariableContextsvc=neworg.jaxen.SimpleVariableContext();svc.setVariableValue("user",user);svc.setVariableValue("pass",pass);StringxpathString="/users/user[@name=$user and @pass=$pass]";org.dom4j.XPathsafeXPath=document.createXPath(xpathString);safeXPath.setVariableContext(svc);isExist=safeXPath.selectSingleNode(document)!=null;System.out.println(isExist);}}catch(ParserConfigurationExceptione){}catch(SAXExceptione){}catch(XPathExpressionExceptione){}catch(org.dom4j.DocumentExceptione){}
References¶
OWASP:Testing for XPath Injection.
OWASP:XPath Injection.
Common Weakness Enumeration:CWE-643.