Create rule S2091: add Kotlin (SONARSEC-6213) (#4879)

github-actions[bot] · christophe-zurn-sonarsource · web-flow · commit 3374aaa7b20d · 2025-04-08T11:42:33.000Z
* Add kotlin to rule S2091

* Add Kotlin rule description; Fix resources links format; Fix and add code examples

---------

Co-authored-by: christophe-zurn-sonarsource &lt;christophe-zurn-sonarsource@users.noreply.github.com&gt;
Co-authored-by: Christophe Zurn &lt;christophe.zurn@sonarsource.com&gt;
diff --git a/docs/header_names/allowed_framework_names.adoc b/docs/header_names/allowed_framework_names.adoc
@@ -48,6 +48,7 @@
 * Java Lang Package
 * Java JNDI API
 * Java Regex API
+* Java XML API
 * Jdom2
 * JSP
 * Legacy Mongo Java API
diff --git a/rules/S2091/common/resources/articles.adoc b/rules/S2091/common/resources/articles.adoc
@@ -1,4 +1,4 @@
 === Articles & blog posts
 
-* https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html#xpath-injection[OWASP, XPath Injection Prevention Cheat Sheet]
-* https://web.archive.org/web/20230602194100/https://www.ambionics.io/blog/hacking-watchguard-firewalls[Ambionics, XPath Injection Section of "Hacking WatchGuard Firewalls']
+* OWASP - https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html#xpath-injection[XPath Injection Prevention Cheat Sheet]
+* Ambionics - https://web.archive.org/web/20230602194100/https://www.ambionics.io/blog/hacking-watchguard-firewalls[XPath Injection Section of "Hacking WatchGuard Firewalls']
diff --git a/rules/S2091/java/how-to-fix-it/java-xml.adoc b/rules/S2091/java/how-to-fix-it/java-xml.adoc
@@ -1,4 +1,4 @@
-== How to fix it in Java SE
+== How to fix it in Java XML API
 
 === Code examples
 
@@ -9,7 +9,10 @@ concatenated to an XPath query without prior validation.
 
 [source,java,diff-id=1,diff-type=noncompliant]
 ----
-public boolean authenticate(HttpServletRequest req, XPath xpath, Document doc) throws XPathExpressionException { 
+import javax.xml.xpath.XPath;
+import javax.xml.xpath.XPathConstants;
+
+public boolean authenticate(HttpServletRequest request, XPath xpath, Document doc) throws XPathExpressionException {
   String user = request.getParameter("user"); 
   String pass = request.getParameter("pass");
 
@@ -23,7 +26,11 @@ public boolean authenticate(HttpServletRequest req, XPath xpath, Document doc) t
 
 [source,java,diff-id=1,diff-type=compliant]
 ----
-public boolean authenticate(HttpServletRequest req, XPath xpath, Document doc) throws XPathExpressionException { 
+import javax.xml.xpath.XPath;
+import javax.xml.xpath.XPathConstants;
+import javax.xml.xpath.XPathVariableResolver;
+
+public boolean authenticate(HttpServletRequest request, XPath xpath, Document doc) throws XPathExpressionException {
   String user = request.getParameter("user"); 
   String pass = request.getParameter("pass");
 
diff --git a/rules/S2091/java/rule.adoc b/rules/S2091/java/rule.adoc
@@ -6,7 +6,7 @@ include::../impact.adoc[]
 
 // How to fix it section
 
-include::how-to-fix-it/java-se.adoc[]
+include::how-to-fix-it/java-xml.adoc[]
 
 == Resources
 
diff --git a/rules/S2091/kotlin/how-to-fix-it/java-xml.adoc b/rules/S2091/kotlin/how-to-fix-it/java-xml.adoc
@@ -0,0 +1,58 @@
+== How to fix it in Java XML API
+
+=== Code examples
+
+The following noncompliant code is vulnerable to XPath injections because untrusted data is
+concatenated to an XPath query without prior validation.
+
+==== Noncompliant code example
+
+[source,kotlin,diff-id=1,diff-type=noncompliant]
+----
+import javax.xml.xpath.XPath
+import javax.xml.xpath.XPathConstants
+
+fun authenticate(request: HttpServletRequest, xpath: XPath, doc: Document): Boolean {
+    val user: String = request.getParameter("user")
+    val pass: String = request.getParameter("pass")
+    val expression = "/users/user[@name='$user' and @pass='$pass']"
+    return xpath.evaluate(expression, doc, XPathConstants.BOOLEAN) as Boolean
+}
+----
+
+==== Compliant solution
+
+[source,kotlin,diff-id=1,diff-type=compliant]
+----
+import javax.xml.xpath.XPath
+import javax.xml.xpath.XPathConstants
+import javax.xml.xpath.XPathVariableResolver
+
+fun authenticate(request: HttpServletRequest, xpath: XPath, doc: Document?): Boolean {
+    val user = request.getParameter("user")
+    val pass = request.getParameter("pass")
+    val expression = "/users/user[@name=\$user and @pass=\$pass]"
+    xpath.xPathVariableResolver = XPathVariableResolver { v: QName ->
+        when (v.localPart) {
+            "user" -> return@XPathVariableResolver user
+            "pass" -> return@XPathVariableResolver pass
+            else -> throw IllegalArgumentException()
+        }
+    }
+    return xpath.evaluate(expression, doc, XPathConstants.BOOLEAN) as Boolean
+}
+----
+
+=== How does this work?
+
+As a rule of thumb, the best approach to protect against injections is to
+systematically ensure that untrusted data cannot break out of the initially
+intended logic.
+
+include::../../common/fix/parameterized-queries.adoc[]
+
+In the example, a parameterized XPath query is created, and an `XPathVariableResolver` is used to securely insert untrusted data into the query, similar to parameterized SQL queries.
+
+include::../../common/fix/validation.adoc[]
+
+For Java, OWASP's Enterprise Security API offers https://www.javadoc.io/doc/org.owasp.esapi/esapi/latest/org/owasp/esapi/Encoder.html#encodeForXPath-java.lang.String-[`encodeForXPath`] which sanitizes metacharacters automatically.
diff --git a/rules/S2091/kotlin/metadata.json b/rules/S2091/kotlin/metadata.json
@@ -0,0 +1,36 @@
+{
+  "tags": [
+    "cwe",
+    "cert"
+  ],
+  "securityStandards": {
+    "CERT": [
+      "IDS53-J."
+    ],
+    "CWE": [
+      20,
+      643
+    ],
+    "OWASP": [
+      "A1"
+    ],
+    "OWASP Top 10 2021": [
+      "A3"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.1"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "5.1.3",
+      "5.1.4",
+      "5.3.10"
+    ],
+    "STIG ASD_V5R3": [
+      "V-222608",
+      "V-222609"
+    ]
+  }
+}
diff --git a/rules/S2091/kotlin/rule.adoc b/rules/S2091/kotlin/rule.adoc
@@ -0,0 +1,32 @@
+== Why is this an issue?
+
+include::../rationale.adoc[]
+
+include::../impact.adoc[]
+
+// How to fix it section
+
+include::how-to-fix-it/java-xml.adoc[]
+
+== Resources
+
+include::../common/resources/articles.adoc[]
+
+include::../common/resources/standards.adoc[]
+
+ifdef::env-github,rspecator-view[]
+
+'''
+== Implementation Specification
+(visible only on this page)
+
+include::../message.adoc[]
+
+'''
+== Comments And Links
+(visible only on this page)
+
+include::../comments-and-links.adoc[]
+
+endif::env-github,rspecator-view[]
+
