adding xpath.select sink

bizob2828 · bizob2828 · commit f29ee466dd4e · 2020-02-06T11:51:20.000-05:00
diff --git a/lib/content/index.js b/lib/content/index.js
@@ -1,4 +1,5 @@
 module.exports = {
   nosqlInjection: require('./nosqlInjection'),
+  xpathInjection: require('./xpathInjection'),
   xxe: require('./xxe')
 };
diff --git a/lib/content/xpathInjection.js b/lib/content/xpathInjection.js
@@ -0,0 +1,17 @@
+module.exports.xml = `
+<?xml version="1.0"?>
+<users>
+  <user>
+    <username>admin</username>
+    <password>admin</password>
+  </user>
+  <user>
+    <username>user1</username>
+    <password>123456</password>
+  </user>
+  <user>
+    <username>tony</username>
+    <password>ynot</password>
+  </user>
+</users>
+`;
diff --git a/lib/routes.js b/lib/routes.js
@@ -96,5 +96,13 @@ module.exports = {
     products: ['Protect'],
     inputs: ['query'],
     sinks: sinks.untrustedDeserialization
+  },
+  xpathInjection: {
+    base: '/xpathInjection',
+    name: 'XPath Injection',
+    link: 'https://owasp.org/www-community/attacks/XPATH_Injection',
+    products: ['Assess'],
+    inputs: ['query'],
+    sinks: sinks.xpathInjection
   }
 };
diff --git a/lib/sinks/index.js b/lib/sinks/index.js
@@ -11,5 +11,6 @@ module.exports = {
   unvalidatedRedirect: require('./unvalidatedRedirect'),
   xss: require('./xss'),
   xxe: require('./xxe'),
-  untrustedDeserialization: require('./untrustedDeserialization')
+  untrustedDeserialization: require('./untrustedDeserialization'),
+  xpathInjection: require('./xpathInjection')
 };
diff --git a/lib/sinks/xpathInjection.js b/lib/sinks/xpathInjection.js
@@ -0,0 +1,20 @@
+'use strict';
+const xpath = require('xpath');
+const { DOMParser } = require('xmldom');
+const { xml } = require('../content/xpathInjection');
+const doc = new DOMParser().parseFromString(xml);
+
+module.exports['xpath.select'] = async function select(
+  input,
+  { safe = false, noop = false } = {}
+) {
+  if (noop) return 'NOOP';
+
+  const path = safe ? encodeURIComponent(input) : input;
+
+  return new Promise((resolve) => {
+    const searchString = `//user[username/text()='${path}']`;
+    const user = xpath.select(searchString, doc).toString();
+    resolve(user);
+  });
+};
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -36,7 +36,9 @@
     "request": "^2.88.0",
     "sequelize": "^5.21.1",
     "sql-template-strings": "^2.2.2",
-    "superagent": "^5.0.5"
+    "superagent": "^5.0.5",
+    "xmldom": "^0.2.1",
+    "xpath": "0.0.27"
   },
   "devDependencies": {
     "@contrast/eslint-config": "^1.0.3",
