SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 45

changes.mady.by.user Ankur Goyal

Saved on

compared with

New Version 46

changes.mady.by.user Ankur Goyal

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by NavBot

...

Consider the following XML schema.

Code Block
&lt;users&gt;<users>
  &lt;user&gt;<user>
    &lt;login&gt;Utah&lt;/login&gt;<login>Utah</login>
    &lt;password&gt;C^f3&lt;/password&gt;<password>C^f3</password>
  &lt;/user&gt;</user>
  &lt;user&gt;<user>
    &lt;login&gt;Bohdi&lt;/login&gt;<login>Bohdi</login>
    &lt;password&gt;C@fe&lt;/password&gt;<password>C@fe</password>
  &lt;/user&gt;</user>
  &lt;user&gt;<user>
    &lt;login&gt;Busey&lt;/login&gt;<login>Busey</login>
    &lt;password&gt;cAf3&lt;/password&gt;<password>cAf3</password>
  &lt;/user&gt;
&lt;/users&gt;</user>
</users>

Untrusted code may attempt to retrieve user details from this file with an XPath statement constructed dynamically from user input.

Code Block
str_query = &quot;"//users/user[LoginID/text()= &quot;" &amp;amp; login &amp;amp; 
            &quot;" and password/text()=&quot;" &amp;amp; password &amp;amp; &quot;]&quot;"]"

An attacker may specify input such as, login = ' or 1=1 and password = ' or 1=1, yielding the following query string.

...

Code Block
bgColor#FFcccc
class XpathInjection {
  private boolean doLogin(String loginID, String password)
    throws ParserConfigurationException, SAXException,IOException, XPathExpressionException {

    DocumentBuilderFactory domFactory = DocumentBuilderFactory.newInstance();
    domFactory.setNamespaceAware(true);
    DocumentBuilder builder = domFactory.newDocumentBuilder();
    Document doc = builder.parse(&quot;"users.xml&quot;");

    XPathFactory factory = XPathFactory.newInstance();
    XPath xpath = factory.newXPath();
    XPathExpression expr = xpath.compile(&quot;"//users/user[login/text()='&quot;" + 
         loginID +&quot;'&quot;"'" + &quot;"and password/text()='&quot;"+password+&quot;"' ]&quot;");
    Object result = expr.evaluate(doc, XPathConstants.NODESET);
    NodeList nodes = (NodeList) result;
   
    // Print first names to the console 
    for (int i = 0; i &lt;< nodes.getLength(); i++) {
      System.out.println(nodes.item(i).getNodeValue());}       
         
    return (nodes.getLength() &gt;>= 1);
  }
}

Compliant Solution

...

Code Block
bgColor#ccccff

Document doc = new Builder().build(&quot;"users.xml&quot;");
XQuery xquery = new XQueryFactory().createXQuery(new File(&quot;"login.xry&quot;"));

Map queryVars= new HashMap();

queryVars.put(&quot;loginid&quot;"loginid", &quot;Utah&quot;"Utah"); // user name hardcoded for illustrative purposes
queryVars.put(&quot;password&quot;"password", &quot;securecoding&quot;"securecoding"); // password hardcoded for illustrative purposes 

Nodes results = xquery.execute(doc, null, queryVars).toNodes();

for (int i=0; i &lt;< results.size(); i++) {
  System.out.println(results.get(i).toXML());
}

...

Wiki Markup
\[[Fortify 08|AA. Java References#Fortify 08]\] &quot;"Input Validation and Representation: XML Injection&quot;"
\[[Sen 07|AA. Java References#Sen 07]\]
\[[Sun 06|AA. Java References#Sun 06]\] [Ensure Data Security|http://java.sun.com/developer/technicalArticles/xml/jaxp1-3/index.html#Ensure%20Data%20Security]
\[[OWASP 05|AA. Java References#OWASP 05]\] [Testing for XPath Injection|http://www.owasp.org/index.php/XPath_Injection_Testing_AoC]
\[[MITRE 09|AA. Java References#MITRE 09]\] [CWE ID 643|http://cwe.mitre.org/data/definitions/247.html] &quot;"Failure to Sanitize Data within XPath Expressions (aka 'XPath injection')&quot;"

...

IDS05-J. Prevent XML Injection&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;      10. Input Validation and Data Sanitization (IDS)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;      IDS07-J. Understand how escape characters are interpreted when String literals are compiled