CRITICAL
Rule Definition
The software does not properly neutralize special elements that are used in an XQuery expression, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.
Remediation
Use authorized sanitization methods.
Violation Code Sample
...
String login = resultSet.getString(1);
XQDataSource dataSource = new SaxonXQDataSource();
XQConnection xcon = dataSource.getConnection(connectionName, connectionPassword);
String xquery = "for $user in doc(\"base.xml\")/Users/User[login='" + login + "'] return $user/password";
XQPreparedExpression xqpe = xcon.prepareExpression(xquery);
XQResultSequence rs = xqpe.executeQuery();
...
Fixed Code Sample
...
String login = resultSet.getString(1);
XQDataSource dataSource = new SaxonXQDataSource();
XQConnection xcon = dataSource.getConnection(connectionName, connectionPassword);
String xquery = "for $user in doc(\"base.xml\")/Users/User[login='$login'] return $user/password";
XQPreparedExpression xqpe = xcon.prepareExpression(xquery);
xqpe.bindString(new QName("login"), login, null);
XQResultSequence rs = xqpe.executeQuery();
...
Reference
CWE-652: XQuery Injection
https://cwe.mitre.org/data/definitions/652.html
Related Technologies
Technical Criterion
CWE-652 - Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
About CAST Appmarq
CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.