Bug #811: Documentation Patch: Preventing XPath Injection attacks - Ruby 1.8 - Ruby Issue Tracking System

Actions

Copy link

Bug #811

closed

Documentation Patch: Preventing XPath Injection attacks

Added by kabloom (Ken Bloom) over 15 years ago. Updated almost 13 years ago.

Status:

Closed

Assignee:

Target version:

ruby -v:

[ruby-core:20213]

Description

=begin
Here's a patch to rexml/xpath.rb which documents the variables parameter
in REXML::XPath. I have previously posted this as ruby-core:16626, but it was ignored.
Please apply it to ruby 1.8 and ruby 1.9, to encourage secure coding practices.

--- xpath.rb.old 2008-04-24 17:31:51.000000000 -0500
+++ xpath.rb 2008-04-24 17:37:38.000000000 -0500
@@ -15,10 +15,15 @@
# node matching '*'.
# namespaces::
# If supplied, a Hash which defines a namespace mapping.

```
 # variables::
```

 #       If supplied, a Hash which maps $variables in the query

 #       to values. This can be used to avoid XPath injection attacks

 #       or to automatically handle escaping string values.
 #
 #  XPath.first( node )
 #  XPath.first( doc, "//b"} )
 #  XPath.first( node, "a/x:b", { "x"=>"http://doofus" } )

```
 #  XPath.first( node, '/book/publisher/text()=$publisher', {}, {"publisher"=>"O'Reilly"})
```
def XPath::first element, path=nil, namespaces=nil, variables={}
raise "The namespaces argument, if supplied, must be a hash object." unless namespaces.nil? or namespaces.kind_of?(Hash)
raise "The variables argument, if supplied, must be a hash object." unless variables.kind_of?(Hash)
@@ -38,10 +43,16 @@
# The xpath to search for. If not supplied or nil, defaults to '*'
# namespaces::
# If supplied, a Hash which defines a namespace mapping
```
 # variables::
```

 #       If supplied, a Hash which maps $variables in the query

 #       to values. This can be used to avoid XPath injection attacks

 #       or to automatically handle escaping string values.
 #
 #  XPath.each( node ) { |el| ... }
 #  XPath.each( node, '/*[@attr='v']' ) { |el| ... }
 #  XPath.each( node, 'ancestor::x' ) { |el| ... }

 #  XPath.each( node, '/book/publisher/text()=$publisher', {}, {"publisher"=>"O'Reilly"}) \

 #    {|el| ... }
 def XPath::each element, path=nil, namespaces=nil, variables={}, &block
 raise "The namespaces argument, if supplied, must be a hash object." unless namespaces.nil? or namespaces.kind_of?(Hash)
 raise "The variables argument, if supplied, must be a hash object." unless variables.kind_of?(Hash)

=end