Go Xpath Unsanitized Input Query
Description
Detects potential XPath injection vulnerabilities in Go applications using the xmlpath.v2 library. XPath injection occurs when untrusted user input is used directly in XPath queries without proper sanitization, which could allow attackers to modify the query logic and access unauthorized data.
Detection Strategy
• Check if the Go code imports the gopkg.in/xmlpath.v2 library
• Look for calls to suspicious XPath query methods
• Verify if the method parameters contain user-controlled input
• Report a vulnerability when user input flows into XPath query methods without proper sanitization
Vulnerable code example
package main
import (
"fmt"
"net/http"
"gopkg.in/xmlpath.v2"
)
...✅ Secure code example
package main
import (
"fmt"
"net/http"
"regexp"
"gopkg.in/xmlpath.v2"
)...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.