What is the best way to avoid an XPath Injection attack in Java?

Question

What is the best way to avoid an XPath Injection attack in Java?

I am using XPath to extract values from XML. My code scanner breaks the assembly for the following reason:

Invokes an XPath query constructed using unapproved input. This call could allow an attacker to change the value of the statement or

This is my code:

private String myMethod(String XPath, OMElement input) {
  String elementText = null;
  AXIOMXPath xpathToElement = null;
  try {
    xpathToElement = new AXIOMXPath(XPath);
    xpathToElement.addNamespace(xxx,yyy);
    elementText = ((OMElement) xpathToElementnode.selectSingleNode(input)).getText();

  } catch (JaxenException e) {
    e.printStackTrace();
    fail(e.getMessage());
  ...

Here is the code where I call the method above:

key = myMethod(myAttribute.getAttributeValue(), input);

inputis the OMelementone that contains the XML. The attribute is derived from the XML attribute.

How can I avoid XPathInjection? Could you share a piece of code?

+4

java security xml xpath

user2694734 May 21 '15 at 2:30

source share

1 answer

kjhughes · Answer 1 · 2015-05-21T12:20:54+0000

Are you using all XPath from user input or another external source?

. XPath . XPaths. XPath , , , , XPath.

Java Axiom, Jaxen, SimpleVariableContext setVariableContext() XPath. . Charles Duffy XPath Axiom.

What is the best way to avoid an XPath Injection attack in Java?

More articles: