apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-12 19:55:14 +02:00
Code Issues Projects Releases Packages Wiki Activity

new capacity bits (#67)

Browse source
This commit is contained in:
Eli Peter 2026-05-07 01:29:31 -04:00 committed by GitHub
parent afaffc0df6
commit 7d0e7320e2
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
261 changed files with 10591 additions and 231 deletions
Download patch file Download diff file Expand all files Collapse all files

17
tests/fixtures/xpath_injection/java/UnsafeXPathQuery.java vendored Normal file
View file

@ -0,0 +1,17 @@
// Unsafe: attacker-controlled username concatenated into an XPath expression
// passed to XPath.evaluate. The flat matcher catches the qualified call.
import javax.xml.xpath.XPath;
import javax.xml.xpath.XPathConstants;
import javax.xml.xpath.XPathFactory;
import javax.servlet.http.HttpServletRequest;
import org.w3c.dom.Document;
import org.w3c.dom.NodeList;
public class UnsafeXPathQuery {
public NodeList lookup(HttpServletRequest req, Document doc) throws Exception {
String user = req.getParameter("user");
String expr = "//user[name='" + user + "']";
XPath xpath = XPathFactory.newInstance().newXPath();
return (NodeList) xpath.evaluate(expr, doc, XPathConstants.NODESET);
}
}