SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 41

changes.mady.by.user Dhruv Mohindra

Saved on

compared with

New Version 42

changes.mady.by.user Ankur Goyal

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by sciSpider Java v3.0

...

Consider the following XML schema.

Code Block
<users>&lt;users&gt;
  <user>&lt;user&gt;
    <login>Utah</login>&lt;login&gt;Utah&lt;/login&gt;
    <password>C^f3</password>&lt;password&gt;C^f3&lt;/password&gt;
  </user>&lt;/user&gt;
  <user>&lt;user&gt;
    <login>Bohdi</login>&lt;login&gt;Bohdi&lt;/login&gt;
    <password>C@fe</password>&lt;password&gt;C@fe&lt;/password&gt;
  </user>&lt;/user&gt;
  <user>&lt;user&gt;
    <login>Busey</login>&lt;login&gt;Busey&lt;/login&gt;
    <password>cAf3</password>&lt;password&gt;cAf3&lt;/password&gt;
  </user>
</users>&lt;/user&gt;
&lt;/users&gt;

Untrusted code may attempt to retrieve user details from this file with an XPath statement constructed dynamically from user input.

Code Block
str_query = "&quot;//users/user[LoginID/text()= "&quot; &amp; login &amp; 
            "&quot; and password/text()="&quot; &amp; password &amp; "]"&quot;]&quot;

An attacker may specify input such as, login = ' or 1=1 and password = ' or 1=1, yielding the following query string.

...

Code Block
bgColor#FFcccc
class XpathInjection {
  private boolean doLogin(String loginID, String password)
    throws ParserConfigurationException, SAXException,IOException, XPathExpressionException {

    DocumentBuilderFactory domFactory = DocumentBuilderFactory.newInstance();
    domFactory.setNamespaceAware(true);
    DocumentBuilder builder = domFactory.newDocumentBuilder();
    Document doc = builder.parse("&quot;users.xml"&quot;);

    XPathFactory factory = XPathFactory.newInstance();
    XPath xpath = factory.newXPath();
    XPathExpression expr = xpath.compile("&quot;//users/user[login/text()='"&quot; + 
         loginID +"'"&quot;'&quot; + "&quot;and password/text()='"&quot;+password+"&quot;' ]"&quot;);
    Object result = expr.evaluate(doc, XPathConstants.NODESET);
    NodeList nodes = (NodeList) result;
   
    // Print first names to the console 
    for (int i = 0; i <&lt; nodes.getLength(); i++) {
      System.out.println(nodes.item(i).getNodeValue());}       
         
    return (nodes.getLength() >&gt;= 1);
  }
}

Compliant Solution

...

Code Block
bgColor#ccccff

Document doc = new Builder().build("&quot;users.xml"&quot;);
XQuery xquery = new XQueryFactory().createXQuery(new File("&quot;login.xry"&quot;));

Map queryVars= new HashMap();

queryVars.put("loginid"&quot;loginid&quot;, "Utah"&quot;Utah&quot;); // user name hardcoded for illustrative purposes
queryVars.put("password"&quot;password&quot;, "securecoding"&quot;securecoding&quot;); // password hardcoded for illustrative purposes 

Nodes results = xquery.execute(doc, null, queryVars).toNodes();

for (int i=0; i <&lt; results.size(); i++) {
  System.out.println(results.get(i).toXML());
}

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[Fortify 08|AA. Java References#Fortify 08]\] "&quot;Input Validation and Representation: XML Injection"&quot;
\[[Sen 07|AA. Java References#Sen 07]\]
\[[Sun 06|AA. Java References#Sun 06]\] [Ensure Data Security|http://java.sun.com/developer/technicalArticles/xml/jaxp1-3/index.html#Ensure%20Data%20Security]
\[[OWASP 05|AA. Java References#OWASP 05]\] [Testing for XPath Injection|http://www.owasp.org/index.php/XPath_Injection_Testing_AoC]
\[[MITRE 09|AA. Java References#MITRE 09]\] [CWE ID 643|http://cwe.mitre.org/data/definitions/247.html] "&quot;Failure to Sanitize Data within XPath Expressions (aka 'XPath injection')"&quot;

...

IDS05-J. Prevent XML Injection      &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;49. Miscellaneous (MSC)      &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;IDS07-J. Understand how escape characters are interpreted when String literals are compiled