Skip to content
This repository was archived by the owner on Jan 5, 2023. It is now read-only.

CWE-643 XPathInjection on Go #66

Merged
merged 7 commits into from
Mar 24, 2020
Merged

CWE-643 XPathInjection on Go #66

merged 7 commits into from
Mar 24, 2020

Conversation

intrigus-lgtm
Copy link
Contributor

An XPath injection query is available for C#, JavaScript, Java but not for Go.
This pull request consist of an XPath Injection query to detect cases in which user input is used unsafely included in an XPath query.

I'm pretty much new to the Go language, so I hope my example code works.
I'm also new to the Go QL flavour so I've added a TODO which I'm currently not sure how to solve.

Query help is inspired/ported from the C# query help.

Code will be autoformatted soon.

@intrigus-lgtm intrigus-lgtm mentioned this pull request Mar 19, 2020
Closed
1 task
max-schaefer
max-schaefer suggested changes Mar 20, 2020
View reviewed changes
Copy link
Contributor

@max-schaefer max-schaefer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Many thanks for your contribution, and in particular for diligently hunting down so many XPath packages! This broadly looks good to me; I've made a few suggestions. (@sauyon, feel free to chip in with any other comments you might have.)

@max-schaefer
Copy link
Contributor

^ Pro tip: in the "Files changed" view, you have the option of adding review suggestions to a batch and commit them all at once.

@intrigus-lgtm
Copy link
Contributor Author

^ Pro tip: in the "Files changed" view, you have the option of adding review suggestions to a batch and commit them all at once.

Thanks for the tip. Even after 5 years of GitHub there is still new stuff to learn :)

Changes:
I autoformatted the query.
I added a sanitizer, that blocks all non string and non []byte nodes.
I removed the gokogiri module in favor of goxpath.

intrigus-lgtm and others added 2 commits March 23, 2020 16:45
@intrigus-lgtm @max-schaefer
Apply suggestion from code review
9187bac 
Use getUnderlyingType() to account for named aliases.

Co-Authored-By: Max Schaefer <54907921+max-schaefer@users.noreply.github.com>
@intrigus
Fix copy-paste errors, remove debugging code
1f63580
max-schaefer
max-schaefer approved these changes Mar 24, 2020
View reviewed changes
Copy link
Contributor

@max-schaefer max-schaefer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thank you very much for your contribution!

@max-schaefer max-schaefer merged commit 8dda4bd into github:master Mar 24, 2020
@ghost ghost mentioned this pull request Jun 24, 2020
Merged
@intrigus-lgtm intrigus-lgtm mentioned this pull request Jun 30, 2020
Merged
@intrigus-lgtm intrigus-lgtm mentioned this pull request Aug 26, 2020
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@max-schaefer max-schaefer max-schaefer approved these changes

Assignees
No one assigned
Labels
no-change-note-required
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@intrigus-lgtm @max-schaefer @intrigus