Rule Definition
The software does not properly neutralize special elements that are used in Xpath query, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

Remediation
Use an "accept known good" input validation strategy, i.e., use a white-list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.

Violation Code Sample

<?php

function queryXmlExpressions(PDOStatement $stmt, SimpleXMLElement $xml) : void {
    $stmt->execute();
    $rows = $stmt->fetchAll();
    foreach ($rows as $row) {
        $expression = $row['expression'];
        $xml->xpath($expression);                // VIOLATION
    }
}

Fixed Code Sample

<?php

/**
 * @psalm-taint-escape xpath
 */
function my_escaping_function_for_xpath(string $input) : string {
    // Check that $input belongs to a white-list of acceptable Xpath queries.
}

function queryXmlExpressions(PDOStatement $stmt, SimpleXMLElement $xml) : void {
    $stmt->execute();
    $rows = $stmt->fetchAll();
    foreach ($rows as $row) {
        $expression = $row['expression'];
        $expression = my_escaping_function_for_xpath($expression);  // USE A FUNCTION ANNOTATED WITH @psalm-taint-escape xpath
        $xml->xpath($expression);                                   // FIXED
    }
}

CWE-91: XML Injection (aka Blind XPath Injection) https://cwe.mitre.org/data/definitions/91.html CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection') https://cwe.mitre.org/data/definitions/643.html Open Web Application Security Project (OWASP) https://www.owasp.org/index.php/Top_10-2017_A1-Injection OWASP Top Ten 2021 Category A03:2021 - Injection