From 948b79df876ba58858656feb9fd5426236190816 Mon Sep 17 00:00:00 2001
From: intrigus <abc123zeus@live.de>
Date: Fri, 20 Mar 2020 21:09:28 +0100
Subject: [PATCH] Update xpath example, use goxpath package

---
 .../Security/CWE-643/XPathInjection.go        | 37 +++++++++++++------
 1 file changed, 25 insertions(+), 12 deletions(-)

diff --git a/ql/src/experimental/Security/CWE-643/XPathInjection.go b/ql/src/experimental/Security/CWE-643/XPathInjection.go
index 5d51fa32809..869c98acb89 100644
--- a/ql/src/experimental/Security/CWE-643/XPathInjection.go
+++ b/ql/src/experimental/Security/CWE-643/XPathInjection.go
@@ -1,19 +1,32 @@
 package main
 
 import (
-  "net/http"
-  "github.com/moovweb/gokogiri"
+	"fmt"
+	"net/http"
+
+	"github.com/ChrisTrenkamp/goxpath"
+	"github.com/ChrisTrenkamp/goxpath/tree"
 )
 
-func processRequest(r *http.Request, doc *XmlDocument) {
-  r.parseForm()
-  username := r.Form.Get("username")
-  password := r.Form.Get("password")
-  
-  root := doc.Root()
-  // BAD: User input used directly in an XPath expression
-  doc, _ := root.SearchWithVariables("//users/user[login/text()='" + username + "' and password/text() = '" + password + "']/home_dir/text()")
+func main() {}
 
-  // GOOD: Uses parameters to avoid including user input directly in XPath expression
-  doc, _ := root.SearchWithVariables("//users/user[login/text()=$username and password/text() = $password]/home_dir/text()")
+func processRequest(r *http.Request, doc tree.Node) {
+	r.ParseForm()
+	username := r.Form.Get("username")
+	password := r.Form.Get("password")
+
+	// BAD: User input used directly in an XPath expression
+	xPath := goxpath.MustParse("//users/user[login/text()='" + username + "' and password/text() = '" + password + "']/home_dir/text()")
+	unsafeRes, _ := xPath.ExecBool(doc)
+	fmt.Println(unsafeRes)
+
+	// GOOD: Value of parameters is defined here instead of directly in the query
+	opt := func(o *goxpath.Opts) {
+		o.Vars["username"] = tree.String(username)
+		o.Vars["password"] = tree.String(password)
+	}
+	// GOOD: Uses parameters to avoid including user input directly in XPath expression
+	xPath = goxpath.MustParse("//users/user[login/text()=$username and password/text() = $password]/home_dir/text()")
+	safeRes, _ := xPath.ExecBool(doc, opt)
+	fmt.Println(safeRes)
 }