/* goodB2G() - use badsource and goodsink */ public static void GoodB2GSink(CWE643_Xpath_Injection__Database_67a.Container dataContainer) { string data = dataContainer.containerOne; string xmlFile = null; if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows)) { /* running on Windows */ xmlFile = "..\\..\\CWE643_Xpath_Injection__Helper.xml"; } else { /* running on non-Windows */ xmlFile = "../../CWE643_Xpath_Injection__Helper.xml"; } if (data != null) { /* assume username||password as source */ string[] tokens = data.Split("||".ToCharArray()); if (tokens.Length < 2) { return; } /* FIX: validate input using StringEscapeUtils */ string username = System.Security.SecurityElement.Escape(tokens[0]); string password = System.Security.SecurityElement.Escape(tokens[1]); /* build xpath */ XPathDocument inputXml = new XPathDocument(xmlFile); XPathNavigator xPath = inputXml.CreateNavigator(); string query = "//users/user[name/text()='" + username + "' and pass/text()='" + password + "']" + "/secret/text()"; string secret = (string)xPath.Evaluate(query); } }
/* goodG2B() - use goodsource and badsink */ public static void GoodG2BSink(CWE643_Xpath_Injection__Database_67a.Container dataContainer) { string data = dataContainer.containerOne; string xmlFile = null; if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows)) { /* running on Windows */ xmlFile = "..\\..\\CWE643_Xpath_Injection__Helper.xml"; } else { /* running on non-Windows */ xmlFile = "../../CWE643_Xpath_Injection__Helper.xml"; } if (data != null) { /* assume username||password as source */ string[] tokens = data.Split("||".ToCharArray()); if (tokens.Length < 2) { return; } string username = tokens[0]; string password = tokens[1]; /* build xpath */ XPathDocument inputXml = new XPathDocument(xmlFile); XPathNavigator xPath = inputXml.CreateNavigator(); /* INCIDENTAL: CWE180 Incorrect Behavior Order: Validate Before Canonicalize * The user input should be canonicalized before validation. */ /* POTENTIAL FLAW: user input is used without validate */ string query = "//users/user[name/text()='" + username + "' and pass/text()='" + password + "']" + "/secret/text()"; string secret = (string)xPath.Evaluate(query); } }