hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 09:43:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
sauyon/java-spring-stringutils
codeql/csharp/ql/test/query-tests/Security Features/CWE-643/XPathInjection.cs
Tom Hvitved fc74a482a4 C#: More XPath injection sinks
2020-03-19 14:13:35 +01:00

68 lines
1.8 KiB
C#
Raw Permalink Blame History

// semmle-extractor-options: ${testdir}/../../../resources/stubs/System.Web.cs /r:System.Collections.Specialized.dll ${testdir}/../../../resources/stubs/System.Data.cs /r:System.Private.Xml.dll /r:System.Xml.XPath.dll /r:System.Data.Common.dll /r:System.Runtime.Extensions.dll
using System;
using System.Web;
using System.Xml;
using System.Xml.XPath;
public class XPathInjectionHandler : IHttpHandler
{
public void ProcessRequest(HttpContext ctx)
{
string userName = ctx.Request.QueryString["userName"];
string password = ctx.Request.QueryString["password"];
var s = "//users/user[login/text()='" + userName + "' and password/text() = '" + password + "']/home_dir/text()";
// BAD: User input used directly in an XPath expression
XPathExpression.Compile(s);
XmlNode xmlNode = null;
// BAD: User input used directly in an XPath expression to SelectNodes
xmlNode.SelectNodes(s);
// GOOD: Uses parameters to avoid including user input directly in XPath expression
var expr = XPathExpression.Compile("//users/user[login/text()=$username]/home_dir/text()");
var doc = new XPathDocument("");
var nav = doc.CreateNavigator();
// BAD
nav.Select(s);
// GOOD
nav.Select(expr);
// BAD
nav.SelectSingleNode(s);
// GOOD
nav.SelectSingleNode(expr);
// BAD
nav.Compile(s);
// GOOD
nav.Compile("//users/user[login/text()=$username]/home_dir/text()");
// BAD
nav.Evaluate(s);
// Good
nav.Evaluate(expr);
// BAD
nav.Matches(s);
// GOOD
nav.Matches(expr);
}
public bool IsReusable
{
get
{
return true;
}
}
}
Reference in New Issue View Git Blame Copy Permalink