Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-2588

XPath expressions should be filtered

    XMLWordPrintable

    Details

    • Type: Bug Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Add at least one filter to this XPath expression.
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Targeted languages:
      C#, C++, Flex, HTML, Java, JavaScript, Objective-C, PHP, Python, Swift, VB.Net, VB6
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      15min
    • OWASP:
      A3

      Description

      Although filters are optional in XPath expressions, for performance and security reasons, a at least one filter should always be specified to prevent reading the whole table.

      Noncompliant Code Example

      /Employees/Employee/UserID |
      /Employees/Employee/FirstName |
      /Employees/Employee/LastName |
      /Employees/Employee/SSN |
      /Employees/Employee/Salary
      

      Compliant Solution

      /Employees/Employee[Managers/Manager/text() = Joe]/UserID | 
      /Employees/Employee[Managers/Manager/text() = Joe]/FirstName | 
      /Employees/Employee[Managers/Manager/text() = Joe]/LastName | 
      /Employees/Employee[Managers/Manager/text() = Joe]/SSN | 
      /Employees/Employee[Managers/Manager/text() = Joe]/Salary 
      

      See

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            ann.campbell.2 Ann Campbell
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: