Rule Definition
The software does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system. XPath injection (second order) - The application stores data in a database. At a later time, the data is subsequently read back into the application and included in XML without sanitization, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

Remediation
Use authorized sanitization methods.

Violation Code Sample

XPath xPath = XPathFactory.newInstance().newXPath();
InputSource inputXml = new InputSource(xmlFile);
...
ResultSet resultSet = preparedStatement.executeQuery();
String usernam = resultSet.getString(1);
String password = resultSet.getString(2);
...
String query = "//users/user[name/text()='" + username +
               "' and pass/text()='" + password + "']" +
               "/secret/text()";
String result = (String)xPath.evaluate(query, inputXml, XPathConstants.STRING);

Fixed Code Sample

XPath xPath = XPathFactory.newInstance().newXPath();
InputSource inputXml = new InputSource(xmlFile);
...
String username; // constant value
String password; // constant value
// or code a validate function for the inputs "username" and "password"
...
String query = "//users/user[name/text()='" + username +
               "' and pass/text()='" + password + "']" +
               "/secret/text()";
String result = (String)xPath.evaluate(query, inputXml, XPathConstants.STRING);

CWE-91: XML Injection (aka Blind XPath Injection) https://cwe.mitre.org/data/definitions/91.html Open Web Application Security Project (OWASP) OWASP Top Ten 2017 Category A1 - Injection: https://cwe.mitre.org/data/definitions/1027.html OWASP Top Ten 2021 Category A03:2021 - Injection: https://cwe.mitre.org/data/definitions/1347.html and https://owasp.org/Top10/A03_2021-Injection/