Skip to content

Fix critical security vulnerabilities (XPath injection and command in… #27

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
MaroonBeret wants to merge 1 commit into from
Closed

Fix critical security vulnerabilities (XPath injection and command in… #27

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
92 changes: 92 additions & 0 deletions SECURITY_FIXES.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
# Security Vulnerability Fixes - Critical Issues

## Summary
Fixed 3 critical security vulnerabilities detected by CodeQL in the WebGoat application.

## Vulnerabilities Fixed

### 1. XPath Injection (Critical) - Issue #10
**File:** `WebGoat/Content/XPathInjection.aspx.cs:28`
**Vulnerability:** User input was directly concatenated into XPath query allowing XPath injection attacks

**Fix Applied:**
- Added input validation using regex to only allow 2-letter state codes (alphanumeric)
- Sanitized input using `System.Security.SecurityElement.Escape()` to encode special characters
- Normalized input to lowercase for consistent comparison
- Early return on invalid input

**Code Changes:**
```csharp
// Before: VULNERABLE
XmlNodeList list = xDoc.SelectNodes("//salesperson[state='" + state + "']");

// After: SECURE
if (string.IsNullOrEmpty(state) || !System.Text.RegularExpressions.Regex.IsMatch(state, "^[a-zA-Z]{2}$"))
{
return;
}
state = System.Security.SecurityElement.Escape(state);
XmlNodeList list = xDoc.SelectNodes("//salesperson[state='" + state.ToLower() + "']");
```

### 2. Uncontrolled Command Line - Issue #9
**File:** `WebGoat/App_Code/Util.cs:20`
**Vulnerability:** Command line arguments were used without validation allowing command injection

**Fix Applied:**
- Implemented argument sanitization
- Check for dangerous characters (`;`, `|`, `&`, `$`, `` ` ``, newlines)
- Throw ArgumentException if dangerous characters detected
- Validate arguments are not null or empty

### 3. Uncontrolled Command Line - Issue #8
**File:** `WebGoat/App_Code/Util.cs:19`
**Vulnerability:** Command parameter was used without validation allowing arbitrary command execution

**Fix Applied:**
- Implemented command whitelisting - only allow approved commands
- Validate command file exists before execution
- Use Path.GetFileName to extract command name for validation
- Check command against HashSet of allowed commands (case-insensitive)
- Validate input file path exists and is not empty
- Throw SecurityException for unauthorized commands
- Throw FileNotFoundException for missing files

**Security Measures Added:**
```csharp
// Whitelist of allowed commands
var allowedCommands = new HashSet<string>(StringComparer.OrdinalIgnoreCase)
{
"sqlite3",
"mysql",
};

// Command validation
string commandName = Path.GetFileName(cmd);
if (!allowedCommands.Contains(commandName))
{
throw new SecurityException($"Command '{commandName}' is not allowed");
}

// Argument sanitization
var dangerousChars = new[] { ';', '|', '&', '$', '`', '\n', '\r' };
if (args.IndexOfAny(dangerousChars) >= 0)
{
throw new ArgumentException("Arguments contain potentially dangerous characters", nameof(args));
}
```

## Additional Changes
- Added required using statements: `System.Collections.Generic` and `System.Security`

## Testing Recommendations
1. Test XPath queries with various injection attempts (e.g., `' or '1'='1`)
2. Test command execution with malicious commands and arguments
3. Verify whitelisted commands work correctly
4. Verify rejected commands throw appropriate exceptions
5. Test with edge cases (null, empty, special characters)

## Status
✅ All 3 critical vulnerabilities have been fixed
✅ Code compiles without errors
✅ Security best practices implemented
84 changes: 67 additions & 17 deletions WebGoat/App_Code/Util.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@
using System.Reflection;
using System.IO;
using System.Threading;
using System.Collections.Generic;
using System.Security;

namespace OWASP.WebGoat.NET.App_Code
{
Expand All @@ -13,6 +15,54 @@ public class Util

public static int RunProcessWithInput(string cmd, string args, string input)
{
// Input validation for command
if (string.IsNullOrWhiteSpace(cmd))
{
throw new ArgumentException("Command cannot be null or empty", nameof(cmd));
}

// Whitelist allowed commands - only allow specific, safe commands
var allowedCommands = new HashSet<string>(StringComparer.OrdinalIgnoreCase)
{
"sqlite3",
"mysql",
// Add other allowed commands as needed
};

string commandName = Path.GetFileName(cmd);
if (!allowedCommands.Contains(commandName))
{
throw new SecurityException($"Command '{commandName}' is not allowed");
}

// Validate the command file exists and is in expected location
if (!File.Exists(cmd))
{
throw new FileNotFoundException($"Command file not found: {cmd}");
}

// Sanitize arguments - remove or escape dangerous characters
if (!string.IsNullOrEmpty(args))
{
// Remove potentially dangerous characters
var dangerousChars = new[] { ';', '|', '&', '$', '`', '\n', '\r' };
if (args.IndexOfAny(dangerousChars) >= 0)
{
throw new ArgumentException("Arguments contain potentially dangerous characters", nameof(args));
}
}

// Validate input file path
if (string.IsNullOrWhiteSpace(input))
{
throw new ArgumentException("Input file path cannot be null or empty", nameof(input));
}

if (!File.Exists(input))
{
throw new FileNotFoundException($"Input file not found: {input}");
}

ProcessStartInfo startInfo = new ProcessStartInfo
{
WorkingDirectory = Settings.RootDir,
Expand Down Expand Up @@ -50,23 +100,23 @@ public static int RunProcessWithInput(string cmd, string args, string input)

};

process.Start();
using (StreamReader reader = new StreamReader(new FileStream(input, FileMode.Open)))
{
string line;
string replaced;
while ((line = reader.ReadLine()) != null)
{
if (Environment.OSVersion.Platform == PlatformID.Win32NT)
replaced = line.Replace("DB_Scripts/datafiles/", "DB_Scripts\\\\datafiles\\\\");
else
replaced = line;
log.Debug("Line: " + replaced);
process.StandardInput.WriteLine(replaced);
}
process.Start();

using (StreamReader reader = new StreamReader(new FileStream(input, FileMode.Open)))
{
string line;
string replaced;
while ((line = reader.ReadLine()) != null)
{
if (Environment.OSVersion.Platform == PlatformID.Win32NT)
replaced = line.Replace("DB_Scripts/datafiles/", "DB_Scripts\\\\datafiles\\\\");
else
replaced = line;

log.Debug("Line: " + replaced);

process.StandardInput.WriteLine(replaced);
}
}

process.StandardInput.Close();
Expand Down
14 changes: 13 additions & 1 deletion WebGoat/Content/XPathInjection.aspx.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,9 +23,21 @@ protected void Page_Load(object sender, EventArgs e)

private void FindSalesPerson(string state)
{
// Input validation: Only allow alphanumeric characters (2-letter state codes)
if (string.IsNullOrEmpty(state) || !System.Text.RegularExpressions.Regex.IsMatch(state, "^[a-zA-Z]{2}$"))
{
// Invalid input, return or handle error
return;
}

// Sanitize input by encoding special characters
state = System.Security.SecurityElement.Escape(state);

XmlDocument xDoc = new XmlDocument();
xDoc.LoadXml(xml);
XmlNodeList list = xDoc.SelectNodes("//salesperson[state='" + state + "']");

// Use XPath with parameterized approach or use LINQ to XML as a safer alternative
XmlNodeList list = xDoc.SelectNodes("//salesperson[state='" + state.ToLower() + "']");
if (list.Count > 0)
{

Expand Down