# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 # {fact rule=xpath-injection@v1.0 defects=1} from flask import request, app @app.route('/user') def find_users_noncompliant(): from flask import request import xml.etree.ElementTree as ET tree = ET.parse('users.xml') root = tree.getroot() username = request.args['username'] query = "./users/user/[@name='"+username+"']/location" # Noncompliant: evaluating expression built from user-supplied parameter # can lead to XPath injection. elements = root.findall(query) return 'Location %s' % list(elements) # {/fact} # {fact rule=xpath-injection@v1.0 defects=0} from flask import request, app @app.route('/user') def find_users_compliant(): from flask import request from lxml import etree # Compliant: disabling external entities prevents XPath injection. parser = etree.XMLParser(resolve_entities=False) tree = etree.parse('users.xml', parser) root = tree.getroot() username = request.args['username'] query = "/collection/users/user[@name = $parameter_name]/location/text()" elements = root.xpath(query, parameter_name=username) return 'Location %s' % list(elements) # {/fact}