XPath注入缓解 [英] XPath injection mitigation
问题描述
是否有.NET任何pre-现有的方法来检测/ prevent的XPath注入攻击?
Are there any pre-existing methods in .NET to detect/prevent an xpath injection attack?
我可以预见2的例子,但也有可能更多。
I can forsee 2 examples but there are likely many more.
例如。
"/Some/XPath/" + UntrustedNodeName
如果 UntrustedNodeName 是DoesNotExist | /有/其它/ XPath的那么这可能是一个攻击<。 / P>
If UntrustedNodeName is "DoesNotExist | /Some/Other/XPath" then this could be an attack.
"/Some/XPath[" + UntrustedFilter + "]"
如果 UntrustedFilter 是1 = 1那么这也可能是一种攻击。
If UntrustedFilter is "1 = 1" then this could also be an attack.
我并没有说我在这里涵盖了所有情况下的假设!
I make no assumption that I have covered all cases here!
我猜测的2种情况需要使用不同的逻辑分别进行测试。
I am guessing that the 2 situations need to be tested separately with different logic.
对于其他类型的攻击有编码的方法和参数化类来降低风险。对于XPath的我找不到类似的话。
For other types of attacks there are encoding methods and parameterised classes to mitigate the risks. For XPath I can't find anything similar.
(特殊 - 我没有找到这个: http://www.tkachenko.com/博客/档案/ 000385.html 但安装程序没有工作)
(Except - I did find this: http://www.tkachenko.com/blog/archives/000385.html but the installer didn't work)
推荐答案
正如迈克尔·凯说,正确的做法是在这里使用XPath变量,但是这是一个有点棘手使用内置的.NET的API。我将提供一个(非常梗概)类,允许您定义的XPath变量下面的例子。一旦你有,你可以利用这样的:
As Michael Kay says, the right approach here is to use XPath variables, but this is a bit tricky using built-in .NET APIs. I'll provide an example below of a (very bare bones) class that allows you to define XPath variables. Once you have that, you can make use of it like this:
VariableContext context =
new VariableContext { { "hello", 4 }, { "goodbye", "adios" } };
// node is a System.Xml.XmlNode object
XmlNodeList result =
node.SelectNodes("/my/field[. = $hello or . = $goodbye]", context);
这同一类应该也与工作XmlNode.SelectSingleNode(), XPathNavigator.Select(), XPathNavigator.SelectSingleNode(), XPathNavigator.Evaluate(),并在XPath的方法的XElement 。
This same class should also work with XmlNode.SelectSingleNode(), XPathNavigator.Select(), XPathNavigator.SelectSingleNode(), XPathNavigator.Evaluate(), and the XPath methods in XElement.
这提供了一种安全的方式将用户提供的数据值到您的XPath,但与托默勒格的答案,它并没有解决如何让你的用户提供整片的XPath的问题。我不认为有一种方法来确定一段的XPath是否客观上安全与否,所以,如果你担心,作为一个安全风险,那么唯一的办法就是不去做。
This provides a safe way to incorporate user-provided data values into your XPath, but as with Tomalak's answer, it does not address the issue of how to allow your user to provide entire pieces of XPath. I don't think there is a way to determine whether a piece of XPath is objectively safe or not, so if you're worried about that being a security risk, then the only solution is to not do it.
下面是类。如果你想拥有它处理命名空间之类的东西,这将需要添加。
Here is the class. If you want to have it handle namespaces and stuff like that, that would need to be added.
class VariableContext : XsltContext
{
private Dictionary<string, object> m_values;
public VariableContext()
{
m_values = new Dictionary<string, object>();
}
public void Add(string name, object value)
{
m_values[name] = value;
}
public override IXsltContextVariable ResolveVariable(string prefix, string name)
{
return new XPathVariable(m_values[name]);
}
public override int CompareDocument(string baseUri, string nextbaseUri)
{
throw new NotImplementedException();
}
public override bool PreserveWhitespace(XPathNavigator node)
{
throw new NotImplementedException();
}
public override IXsltContextFunction ResolveFunction(string prefix, string name,
XPathResultType[] ArgTypes)
{
throw new NotImplementedException();
}
public override bool Whitespace
{
get { throw new NotImplementedException(); }
}
private class XPathVariable : IXsltContextVariable
{
private object m_value;
internal XPathVariable(object value)
{
m_value = value;
}
public object Evaluate(XsltContext xsltContext)
{
return m_value;
}
public bool IsLocal
{
get { throw new NotImplementedException(); }
}
public bool IsParam
{
get { throw new NotImplementedException(); }
}
public XPathResultType VariableType
{
get { throw new NotImplementedException(); }
}
}
}
这篇关于XPath注入缓解的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
