ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S2091/common/fix/parameterized-queries.adoc

13 lines
764 B
Plaintext
Raw Normal View History

[APPSEC-271] Modify rule S2091: Change text to the education framework format [Python] (#1396) * Add rule information * Add lxml * Add Python stdlib * Change the XPath queries such that they're correct * Remove nonexistant highlighting reference * Add lxml as allowed framework * Split up parameterized queries and validation * Fix typo * Make changes in Java docs * Fix .NET text * Update rules/S2091/python/how-to-fix-it/python.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update common texts * Update code samples * Fix typo * Use correct syntax for lxml * Apply code review fixes Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com>
2022-11-21 11:47:20 +01:00
==== Parameterized Queries
For XPath injections, the cleanest way to do so is to use parameterized queries.
XPath allows for the usage of variables inside expressions in the form of `$variable`. XPath variables can be used to construct an XPath query without needing to concatenate user arguments to the query at runtime. Here is an example of an XPath query with variables:
----
/users/user[@user=$user and @pass=$pass]
----
When the XPath query is executed, the user input is passed alongside it. During execution, when the values of the variables need to be known, a resolver will return the correct user input for each variable. The contents of the variables are not considered application logic by the XPath executor, and thus injection is not possible.
Reference in New Issue Copy Permalink