9

How can I prevent XPATH injection in the .NET Framework?

We were previously using string concatenation to build XPATH statements, but found that end users could execute some arbitrary XPATH. For example:

string queryValue = "pages[@url='" + USER_INPUT_VALUE + "']";
node = doc.DocumentElement.SelectSingleNode(queryValue);

Would it be sufficient to strip out single and double quotes from input strings?

Or, does the .NET framework support parameterized XPATH queries?

Improve this question
0

4 Answers 4

Reset to default
9

The main idea in preventing an XPath injection is to pre-compile the XPath expression you want to use and to allow variables (parameters) in it, which during the evaluation process will be substituted by user-entered values.

In .NET:

  1. Have your XPath expresion pre-compiled with XPathExpression.Compile().

  2. Use the XPathExpression.SetContext() Method to specify as context an XsltContext object that resolves some specific variables to the user-entered values.

You can read more about how to evaluate an XPath expression that contains variables here.

This text contains good and complete examples.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

Strongly typed parameters are available if you use a full-blown XsltTransform.

Improve this answer

2 Comments

In my case, I am just trying to search for a node in an XML file. So XSLT is overkill.
Strongly typed parameters are possible not only using an XSLT transformation -- see my answer.
1

Parameterized XPath is possible if you use Saxon as your XPath processor.

Improve this answer

Comments

0

Instead of strongly typed parameters you could decrease the options for a user. Why give them full control if you do not want that?

Provide the user with a couple of option to select from and then create the query.

Allowing the user to enter any string is asking for trouble or a lot of work.

Improve this answer

4 Comments

What you're suggesting sounds like sanitizing input. Can you provide the set of characters which must be filtered for XPATH?
@frankadelic: You don't need "a set of characters" at all. The way to protect from an XPath injection is to use a pre-compiled XPath expressions that contains variables. See my answer for explanation and links to the relevant .NET documentation.
Yes, that is what I meant. Do not allow string input. Give some option buttons and check boxes and hard code the queries.
Thanks, however, in my use case I cannot reduce the input choice to a set of options. If that were the case, I would use a whitelist approach.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.