XPath query built from user-controlled sources¶
ID: py/xpath-injectionKind: path-problemSecurity severity: 9.8Severity: errorPrecision: highTags: - security - external/cwe/cwe-643Query suites: - python-code-scanning.qls - python-security-extended.qls - python-security-and-quality.qls
Click to see the query in the CodeQL repository
If an XPath expression is built using string concatenation, and the components of the concatenation include user input, it makes it very easy for a user to create a malicious XPath expression.
Recommendation¶
If user input must be included in an XPath expression, either sanitize the data or use variable references to safely embed it without altering the structure of the expression.
Example¶
In the example below, the xpath query is controlled by the user and hence leads to a vulnerability.
fromlxmlimportetreefromioimportStringIOfromdjango.urlsimportpathfromdjango.httpimportHttpResponsefromdjango.templateimportTemplate,Context,Engine,enginesdefa(request):value=request.GET['xpath']f=StringIO('<foo><bar></bar></foo>')tree=etree.parse(f)r=tree.xpath("/tag[@id='%s']"%value)urlpatterns=[path('a',a)]
This can be fixed by using a parameterized query as shown below.
fromlxmlimportetreefromioimportStringIOfromdjango.urlsimportpathfromdjango.httpimportHttpResponsefromdjango.templateimportTemplate,Context,Engine,enginesdefa(request):value=request.GET['xpath']f=StringIO('<foo><bar></bar></foo>')tree=etree.parse(f)r=tree.xpath("/tag[@id=$tagid]",tagid=value)urlpatterns=[path('a',a)]
References¶
Common Weakness Enumeration:CWE-643.