Audit required: XPath Injection GO-S1013

The components used for constructing the XPath expression might include sensitive information, possibly making it a malicious XPath expression that could lead to XPath injections. It is recommended to have the sensitive information in an XPath expression followed by pre-compiling the query and using variable references to include the same for safer construction.

When using the github.com/ChrisTrenkamp/goxpath module, creating a function that accepts *goxpath.Opts parameter is recommended. Using the function, it would be possible to set the values of the variable references and should be used when calling Exec(), Exec{Bool|Num|Node}(), ParseExec(), or MustExec() from github.com/ChrisTrenkamp/goxpath.

Bad practice

func example(r *http.Request, doc tree.Node) {
    password := r.Form.Get("password")

    // NOTE: password directly used in XPath expression
    // construction.
    xPath := goxpath.MustParse("abc=" + password + ",xyz")
    xPath.ExecBool(doc)
}

Recommended

func example(r *http.Request, doc tree.Node) {
    password := r.Form.Get("password")
    xPath := goxpath.MustParse("abc=$password,xyz")
    // NOTE: password not anymore directly used in XPath expression
    // construction.
    // Using the below structure you can then set the values of the
    // variable references e.g., password.
    opt := func(o *goxpath.Opts) {
        o.Vars["password"] = tree.String(password)
    }
    xPath.ExecBool(doc, opt)
}

References

• CWE-643
• OWASP: Testing for XPath Injection
• OWASP: XPath Injection