Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-2086

Values passed to XQuery commands should be sanitized

    XMLWordPrintable

    Details

    • Type: Vulnerability Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      "xxx" is provided externally to the method and not sanitized before use.
    • Default Severity:
      Blocker
    • Impact:
      High
    • Likelihood:
      High
    • Default Quality Profiles:
      Sonar way, MISRA C++ 2008 recommended
    • Targeted languages:
      C#, C, C++, HTML, Java, Objective-C, PHP, Python, VB.Net
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      20min
    • Analysis Scope:
      Main Sources
    • Implementation details:
    • Common Rule:
      Yes
    • CWE:
      CWE-652
    • OWASP:
      A1

      Description

      Applications that execute XQuery commands should neutralize any externally-provided values used in those commands. Failure to do so could allow an attacker to include input that executes unintended commands, or exposes sensitive data.

      This rule checks that method parameters are not unconditionally used directly in XQuery commands.

      Noncompliant Code Example

      public User getUser(String user) {
        OXQDataSource ds = new OXQDataSource();
        XQConnection con = ds.getConnection();
        String query = "doc(\"users.xml\")/userlist/user[uname=\"" 
                + user + "\"]";  // Parameter concatenated directly into string
        XQPreparedExpression expr = con.prepareExpression(query); // Noncompliant
        XQSequence result = expr.executeQuery();
        // ...
      

      Compliant Solution

      public User getUser(String user) {
        OXQDataSource ds = new OXQDataSource();
        XQConnection con = ds.getConnection();
        String query = "doc(\"users.xml\")/userlist/user[uname=\"" 
                + scrubUser(user) + "\"]";  // Method presumably sanitizes parameter
        XQPreparedExpression expr = con.prepareExpression(query);
        XQSequence result = expr.executeQuery();
        // ...
      

      or

      public User getUser(String user) {
        if (! user.matches(USERNAME_ALLOWED_CHARS)) {
          return null;
        }
      
        OXQDataSource ds = new OXQDataSource();
        XQConnection con = ds.getConnection();
        String query = "doc(\"users.xml\")/userlist/user[uname=\"" + user + "\"]"; 
        XQPreparedExpression expr = con.prepareExpression(query); // Compliant; value used conditionally
        XQSequence result = expr.executeQuery();
          // ...
      

      or

      public User getUser(String user) {
        String cleanUser = user.replaceAll("[^a-zA-Z0-9]", "");
      
        OXQDataSource ds = new OXQDataSource();
        XQConnection con = ds.getConnection();
        String query = "doc(\"users.xml\")/userlist/user[uname=\"" 
                + cleanUser + "\"]"; // Parameter not used directly in string
        XQPreparedExpression expr = con.prepareExpression(query); 
        XQSequence result = expr.executeQuery();
        // ...
      

      See

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            ann.campbell.2 Ann Campbell
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: