How fix Xpath Injection issue in Fortify scan in c#

Question

HP fortify scan shows a Xpath Injection issue shows as below

 string repositoryID = Request.QueryString[repositoryIDKey];
 XmlDocument fullTreeviewMarkup = new SafeXmlDocument().LoadDocument(GetTreeViewMarkupFromSessionStore(sourceGuid));     
 XmlNode repositoryNode = fullTreeviewMarkup.SelectSingleNode( String.Format( "/root/TreeViewNode/TreeViewNode[@Value=\"{0}\"]", repositoryID ) );

How to fix this Xpath injection issue . Here repositoryID is System.GUID.How to validate repositoryID is GUID ?

@Dave3of5 sorry you are correct don't read the question fully ! — mybirthname, Feb 04 '16 at 16:02
http://stackoverflow.com/questions/6381689/how-to-prevent-xpath-xml-injection-in-net . You can check this answer they have details about it. — mybirthname, Feb 04 '16 at 16:04

score 1 · Accepted Answer · answered Feb 04 '16 at 16:13

Since you confirmed that repositoryID is a System.Guid then my edit for you would be the following:

Guid repositoryID;

if(Guid.TryParse(Request.QueryString[repositoryIDKey], out repositoryID))
{
    XmlDocument fullTreeviewMarkup = new SafeXmlDocument().LoadDocument(GetTreeViewMarkupFromSessionStore(sourceGuid));     
    XmlNode repositoryNode = fullTreeviewMarkup.SelectSingleNode( String.Format( "/root/TreeViewNode/TreeViewNode[@Value=\"{0}\"]", repositoryID ) );
}
else
{
    //Send Error
}

HP Fortify security scan still it shows Xpath injection issue ? any way to avoid warning in Fortify scan — fortifysafeer, Feb 05 '16 at 11:51

How fix Xpath Injection issue in Fortify scan in c#

1 Answers1