ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S4817/csharp/rule.adoc
Fred Tingaud 16f6c0aecf
Inline adoc when include has no additional value (#1940) 
Inline adoc files when they are included exactly once.

Also fix language tags because this inlining gives us better information
on what language the code is written in.
2023-05-25 14:18:12 +02:00

70 lines
2.9 KiB
Plaintext
Raw Blame History

Executing XPATH expressions is security-sensitive. It has led in the past to the following vulnerabilities:
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6272[CVE-2016-6272]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9149[CVE-2016-9149]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4837[CVE-2012-4837]
User-provided data such as URL parameters should always be considered as untrusted and tainted. Constructing XPath expressions directly from tainted data enables attackers to inject specially crafted values that changes the initial meaning of the expression itself. Successful XPath injections attacks can read sensitive information from the XML document.
This rule will create issues when the following methods are called with a string XPath which is subject to injection (non-hardcoded string):
* ``++System.Xml.XmlNode.SelectNodes(string)++``
* ``++System.Xml.XmlNode.SelectNodes(string, System.Xml.XmlNamespaceManager)++``
* ``++System.Xml.XmlNode.SelectSingleNode(string)++``
* ``++System.Xml.XmlNode.SelectSingleNode(string, System.Xml.XmlNamespaceManager)++``
* ``++System.Xml.XPath.XPathNavigator.Compile(string)++``
* ``++System.Xml.XPath.XPathNavigator.Evaluate(string)++``
* ``++System.Xml.XPath.XPathNavigator.Evaluate(string, System.Xml.IXmlNamespaceResolver)++``
* ``++System.Xml.XPath.XPathNavigator.Matches(string)++``
* ``++System.Xml.XPath.XPathNavigator.Select(string)++``
* ``++System.Xml.XPath.XPathNavigator.Select(string, System.Xml.IXmlNamespaceResolver)++``
* ``++System.Xml.XPath.XPathNavigator.SelectSingleNode(string)++``
* ``++System.Xml.XPath.XPathNavigator.SelectSingleNode(string, System.Xml.IXmlNamespaceResolver)++``
* ``++System.Xml.XPath.XPathExpression.Compile(string)++``
* ``++System.Xml.XPath.XPathExpression.Compile(string, System.Xml.IXmlNamespaceResolver)++``
Calling these methods on subclasses of ``++XmlNode++`` and ``++XPathNavigator++`` will also raise an issue.
Methods receiving the XPath as an ``++XPathExpression++`` instead of a string will not raise an exception. The goal is to highlight the place where the XPath string is compiled.
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
== Sensitive Code Example
----
String expression = "/users/user[@name='" + user + "' and @pass='" + pass + "']";
xpathNavigator.Evaluate(expression); // Sensitive. Check if the XPATH expression is safe.
----
== Exceptions
Hard-coded XPath strings will not raise an issue.
----
xpathNavigator.Evaluate("/users/user[@name='alice']");
----
include::../see.adoc[]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
'''
== Comments And Links
(visible only on this page)
=== on 9 May 2019, 15:59:33 Nicolas Harraudeau wrote:
This rule is deprecated for C# because it is handled by the taint analysis engine (RSPEC-2091).
include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink