rspec/rules/S2091/common/fix/validation.adoc

==== Validation

In case XPath parameterized queries are not available, the most secure way to protect against injections is to validate the input before using it in an XPath query.

**Important**: The application must do this validation server-side. Validating this client-side is insecure.

Input can be validated in multiple ways:

*  By checking against a list of authorized and secure strings that the application is allowed to use in a query.
*  By ensuring user input is restricted to a specific range of characters (e.g., the regex `/^[a-zA-Z0-9]*$/` only allows alphanumeric characters.)
*  By ensuring user input does not include any XPath metacharacters, such as `"`, `'`, `/`, `@`, `=`, `*`, `[`, `]`, `(` and `)`.

If user input is not considered valid, it should be rejected as it is unsafe.
Modify S2091(multiple languages): Update to the education framework (APPSEC-97) (#1197) 2022-09-02 09:43:40 +02:00			`==== Validation`

[APPSEC-271] Modify rule S2091: Change text to the education framework format [Python] (#1396) * Add rule information * Add lxml * Add Python stdlib * Change the XPath queries such that they're correct * Remove nonexistant highlighting reference * Add lxml as allowed framework * Split up parameterized queries and validation * Fix typo * Make changes in Java docs * Fix .NET text * Update rules/S2091/python/how-to-fix-it/python.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update common texts * Update code samples * Fix typo * Use correct syntax for lxml * Apply code review fixes Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> 2022-11-21 11:47:20 +01:00			`In case XPath parameterized queries are not available, the most secure way to protect against injections is to validate the input before using it in an XPath query.`
Modify S2091(multiple languages): Update to the education framework (APPSEC-97) (#1197) 2022-09-02 09:43:40 +02:00
[APPSEC-271] Modify rule S2091: Change text to the education framework format [Python] (#1396) * Add rule information * Add lxml * Add Python stdlib * Change the XPath queries such that they're correct * Remove nonexistant highlighting reference * Add lxml as allowed framework * Split up parameterized queries and validation * Fix typo * Make changes in Java docs * Fix .NET text * Update rules/S2091/python/how-to-fix-it/python.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update common texts * Update code samples * Fix typo * Use correct syntax for lxml * Apply code review fixes Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> 2022-11-21 11:47:20 +01:00			`Important: The application must do this validation server-side. Validating this client-side is insecure.`
Modify S2091(multiple languages): Update to the education framework (APPSEC-97) (#1197) 2022-09-02 09:43:40 +02:00
[APPSEC-271] Modify rule S2091: Change text to the education framework format [Python] (#1396) * Add rule information * Add lxml * Add Python stdlib * Change the XPath queries such that they're correct * Remove nonexistant highlighting reference * Add lxml as allowed framework * Split up parameterized queries and validation * Fix typo * Make changes in Java docs * Fix .NET text * Update rules/S2091/python/how-to-fix-it/python.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update common texts * Update code samples * Fix typo * Use correct syntax for lxml * Apply code review fixes Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> 2022-11-21 11:47:20 +01:00			`Input can be validated in multiple ways:`
Modify S2091(multiple languages): Update to the education framework (APPSEC-97) (#1197) 2022-09-02 09:43:40 +02:00
[APPSEC-271] Modify rule S2091: Change text to the education framework format [Python] (#1396) * Add rule information * Add lxml * Add Python stdlib * Change the XPath queries such that they're correct * Remove nonexistant highlighting reference * Add lxml as allowed framework * Split up parameterized queries and validation * Fix typo * Make changes in Java docs * Fix .NET text * Update rules/S2091/python/how-to-fix-it/python.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update common texts * Update code samples * Fix typo * Use correct syntax for lxml * Apply code review fixes Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> 2022-11-21 11:47:20 +01:00			`* By checking against a list of authorized and secure strings that the application is allowed to use in a query.`
			* By ensuring user input is restricted to a specific range of characters (e.g., the regex `/^[a-zA-Z0-9]*$/` only allows alphanumeric characters.)
			* By ensuring user input does not include any XPath metacharacters, such as `"`, `'`, `/`, `@`, `=`, `*`, `[`, `]`, `(` and `)`.
Modify S2091(multiple languages): Update to the education framework (APPSEC-97) (#1197) 2022-09-02 09:43:40 +02:00
[APPSEC-271] Modify rule S2091: Change text to the education framework format [Python] (#1396) * Add rule information * Add lxml * Add Python stdlib * Change the XPath queries such that they're correct * Remove nonexistant highlighting reference * Add lxml as allowed framework * Split up parameterized queries and validation * Fix typo * Make changes in Java docs * Fix .NET text * Update rules/S2091/python/how-to-fix-it/python.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update common texts * Update code samples * Fix typo * Use correct syntax for lxml * Apply code review fixes Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> 2022-11-21 11:47:20 +01:00			`If user input is not considered valid, it should be rejected as it is unsafe.`