Unvalidated input used in XPath expression
Description
User input is used in XPath expressions without proper validation, which may lead to XPath Injection, allowing an attacker to bypass authentication or authorization, or extract sensitive XML data.
Examples
Insecure Code
java
String expression = String.format("//books/book[author='%s']", userInput); xpath.evaluate(expression, doc, XPathConstants.NODESET);Secure Code
java
List<String> ALLOWED = List.of("Author1", "Author2"); if (ALLOWED.contains(userInput)) { String expression = String.format("//books/book[author='%s']", userInput); xpath.evaluate(expression, doc, XPathConstants.NODESET); }Remediation
Avoid directly injecting user input into XPath expressions and use allowlists to validate any dynamic input.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0638 |
| Category | Injection |
| Severity | MEDIUM |
| CWE | CWE-643 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | xpath, injection, java |
| OWASP | A03:2021-Injection |