XPath injection High

Potentially unsanitized user input in XPath queries can allow an attacker to control the query in unwanted or insecure ways. This might grant the attacker access to any data, not just the data that the original query intended.

Detector ID
typescript/xpath-injection@v1.0
Category
Common Weakness Enumeration (CWE) external icon

Noncompliant example

1import express, {Request, Response} from 'express'
2import * as xpath from 'xpath'
3import {DOMParser} from 'xmldom'
4var app = express();
5function xpathInjectionNoncompliant() {
6  app.get(
7    "www.example.com",
8    function (req: Request, res: Response) {
9      var userName = req.params.userName;
10      var xml = "<book><title>Harry Potter</title></book>";
11      var doc = new DOMParser().parseFromString(xml);
12      // Noncompliant: passing user-input directly in an XPath expression.
13      var nodes = xpath.select("//title" + userName, doc);
14    },
15  );
16}

Compliant example

1import express, {Request, Response} from 'express'
2import * as xpath from 'xpath'
3import {DOMParser} from 'xmldom'
4var app = express();
5function xpathInjectionCompliant() {
6  app.get(
7    "www.example.com",
8    function (req: Request, res: Response) {
9      var userName = req.params.userName;
10      var xml = "<book><title>Harry Potter</title></book>";
11      var doc = new DOMParser().parseFromString(xml);
12      // Compliant: passing sanitized user-input in an XPath expression.
13      var nodes = xpath.select("//title" + escape(userName), doc);
14    },
15  );
16}