Improper Restriction of XML External Entity Reference ('XXE')

scala.xpathi.scala_xpathi_rule_xpathinjection

Severity

high

Resource

Xpathi

Language

Scala

Description

The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection.

Rationale

The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection.

The following code illustrates a vulnerable pattern detected by this rule:

def main(args: Array[String]): Unit = {
  val doc: Document = null
  val input = args(1)
  val query = "//groups/group[@id='" + input + "']/writeAccess/text()"
  System.out.println(">> XPath.compile()")
  // VULNERABLE: Improper Restriction of XML External Entity Reference ('XXE')
  XPathFactory.newInstance.newXPath.evaluate(query, doc)

  System.out.println(">> XPath.evaluate()")
  // VULNERABLE: Improper Restriction of XML External Entity Reference ('XXE')
  System.out.println("result=" +  XPathFactory.newInstance.newXPath.evaluate(query, doc))

  // VULNERABLE: Improper Restriction of XML External Entity Reference ('XXE')
  XPathFactory.newInstance.newXPath.compile(query)

  //Safe (The next sample should not be mark)
  System.out.println(">> Safe")
  XPathFactory.newInstance.newXPath.compile("//groups/group[@id='admin']/writeAccess/text()")
}

Remediation

Follow secure coding practices and review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References

CWE-611
OWASP Top 10 2021 - A03 : Injection.