Python Xpath Format String Injection
Description
Detects potential XPath injection vulnerabilities in Python code using the lxml.etree library. The security risk occurs when untrusted user input is used directly in XPath expressions, which could allow attackers to modify the XPath query logic and potentially access unauthorized data or cause denial of service.
Detection Strategy
• Check if the lxml.etree library is imported in the Python source code
• Look for method calls ending with .xpath in the code
• Verify if the XPath query contains data that originates from user input
• Report a vulnerability if both conditions are met: using .xpath method and containing user-controlled input
Vulnerable code example
# ruff: noqa
from flask import Flask, request
from lxml import etree
app = Flask(__name__)
XML_DATA = """
<users>...✅ Secure code example
# ruff: noqa
from flask import Flask, request
from lxml import etree
app = Flask(__name__)
XML_DATA = """
<users>...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.