[pitboss] phase 07: Track J.5 + Track L.5 — XPATH_INJECTION corpus + XPath / DOM / lxml adapters

tests/dynamic_fixtures/xpath_injection/python/benign.py

@@ -0,0 +1,13 @@
+# Phase 07 (Track J.5) — Python XPATH_INJECTION benign control fixture.
+#
+# Same shape as `vuln.py` but parameterises the XPath via a variable
+# binding (the recommended `lxml` defence), so the directory keeps
+# returning at most one node.
+from lxml import etree
+
+
+def run(name):
+    with open("xpath_corpus.xml", "rb") as f:
+        tree = etree.fromstring(f.read())
+    finder = etree.XPath("//user[@name=$name]")
+    return finder(tree, name=name)

tests/dynamic_fixtures/xpath_injection/python/vuln.py

@@ -0,0 +1,15 @@
+# Phase 07 (Track J.5) — Python XPATH_INJECTION vuln fixture.
+#
+# The function string-concatenates the attacker-controlled `name`
+# directly into an XPath expression evaluated by `lxml.etree`'s
+# `xpath` method.  A payload like `alice' or '1'='1` rewraps the
+# selector as `//user[@name='alice' or '1'='1']`, matching every
+# <user> node in the staged `xpath_corpus.xml`.
+from lxml import etree
+
+
+def run(name):
+    with open("xpath_corpus.xml", "rb") as f:
+        tree = etree.fromstring(f.read())
+    expr = "//user[@name='" + name + "']"
+    return tree.xpath(expr)