-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathXPathInjection.cs
More file actions
28 lines (23 loc) · 1.08 KB
/
XPathInjection.cs
File metadata and controls
28 lines (23 loc) · 1.08 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
using System;
using System.Web;
using System.Xml.XPath;
public class XPathInjectionHandler : IHttpHandler
{
public void ProcessRequest(HttpContext ctx)
{
string userName = ctx.Request.QueryString["userName"];
// BAD: Use user-provided data directly in an XPath expression
string badXPathExpr = "//users/user[login/text()='" + userName + "']/home_dir/text()";
XPathExpression.Compile(badXPathExpr);
// GOOD: XPath expression uses variables to refer to parameters
string xpathExpression = "//users/user[login/text()=$username]/home_dir/text()";
XPathExpression xpath = XPathExpression.Compile(xpathExpression);
// Arguments are provided as a XsltArgumentList()
XsltArgumentList varList = new XsltArgumentList();
varList.AddParam("userName", string.Empty, userName);
// CustomContext is an application specific class, that looks up variables in the
// expression from the varList.
CustomContext context = new CustomContext(new NameTable(), varList)
xpath.SetContext(context);
}
}