HP Fortify External Entity Injection Web API XPathDocument

Asked Nov 13 '15 at 03:00

Active Nov 13 '15 at 03:00

Viewed 540 times

HP Fortify has shown that some boiler plate code for .NET Web API 2 could be susceptible to External entity injection with xml.

the code in question looks like this

if (documentPath == null)
        {
            throw new ArgumentNullException("documentPath");
        }

        XPathDocument xpath = new XPathDocument(documentPath);  // badness here
        _documentNavigator = xpath.CreateNavigator();

Can anyone shed some like on how to resolve this??

asked Nov 13 '15 at 03:00

Mateo

Did you find a solution for this? – capiono Jun 01 '16 at 21:29
This depends on the context of your code, which Fortify doesn't interpret. If `documentPath` comes from user input then you are vulnerable, however if you validate and sanitize the `documentPath` and handle this in code where you ensure only the valid files are allowed - then it can be marked as a false positive. – ColinM Jun 15 '18 at 09:35

HP Fortify External Entity Injection Web API XPathDocument

0 Answers0