XPath Injection
Description
Passing untrusted user input in `xpath.parse()` can result in XPATH injection vulnerability. This could be abused by malicious actors to execute expressions on XML files to capture unauthorized information.
Examples
Insecure Code
javascript
xpath.parse(userInput)Secure Code
javascript
const allowedExpr = ['expression1', 'expression2']; if (allowedExpr.includes(userInput)) { xpath.parse(userInput); }Remediation
Always validate and sanitize user inputs, especially parameters or query strings that may influence the flow of the application. Use allowlists (lists of permitted expressions) to validate user input against known, trusted expressions before performing the parse.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0424 |
| Category | Injection |
| Severity | CRITICAL |
| CWE | CWE-643 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | xpath, injection |
| OWASP | A1:2017-Injection, A03:2021-Injection |