SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 130

changes.mady.by.user Will Snavely

Saved on

compared with

New Version 131

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: AD TCF

...

[Prevention of XPath injection] requires the following characters to be removed (that is, prohibited) or properly escaped:

  • < > / ' = " to prevent straight parameter injection.
  • XPath queries should not contain any meta characters (such as ' = * ? // or similar).
  • XSLT expansions should not contain any user input, or if they do, [you should] comprehensively test the existence of the file, and ensure that the files are within the bounds set by the Java 2 Security Policy.

Automated Detection

ToolVersionCheckerDescription
The Checker Framework

Include Page
The Checker Framework_V
The Checker Framework_V

Tainting CheckerTrust and security errors (see Chapter 8)

Bibliography

[Fortify 2008]"Input Validation and Representation: XML Injection"
[Oracle 2011b]Ensure Data Security
[OWASP 2014]Testing for XPath Injection
[Sen 2007]Avoid the Dangers of XPath Injection
[Sun 2006]Ensure Data Security

...