...
In this noncompliant code example, a username user name and password is read from the user and used to construct the query string. The evaluate function call returns a set of all nodes in the XML file, causing the login function to return true and bypass any authorization.
...
In similar vulnerabilities such as SQL injection, one recommended practice is to use a technique called an effective prevention technique is parameterization. In this technique, user-specified data is passed directly to an API as a parameter, which ensures that no data specified by the user is interpreted as executable logic. Unfortunately, such an interface does not currently exist in Java. However, this functionality can be emulated by using an interface such as XQuery, which enables the user to effectively parameterize data by specifying a query statement in a separate file, and supply the query at runtime. This compliant solution uses a query specified in a text file by reading the format and entering values for the user name and password in a Map. The XML query is constructed from these elements subsequently.
...
| Code Block | ||
|---|---|---|
| ||
Document doc = new Builder().build("users.xml");
XQuery xquery = new XQueryFactory().createXQuery(new File("login.xry"));
Map queryVars= new HashMap();
queryVars.put("loginid", "Utah"); // user name hard coded for illustrative purposes
queryVars.put("password", "test123securecoding"); // password hard coded for illustrative purposes
Nodes results = xquery.execute(doc, null, queryVars).toNodes();
for (int i=0; i < results.size(); i++) {
System.out.println(results.get(i).toXML());
}
|
...