Xpath Injection in Chi

XPath injection vulnerabilities in Chi applications typically emerge through user-controlled data that flows into XPath queries without proper sanitization. In Chi-based APIs, this often occurs when handling XML-based requests or when querying XML data stores like eXist-db or BaseX.

A common manifestation appears in Chi route handlers that process XML data. Consider a Chi application that accepts XML payloads and queries them:

func handleSearch(w http.ResponseWriter, r *http.Request) {
    // Vulnerable: user input directly embedded in XPath
    query := r.URL.Query().Get("search")
    xpath := fmt.Sprintf("/library/book[contains(title, '%s')]", query)
    
    // Execute XPath against XML document
    result, err := executeXPath(xpath)
    if err != nil {
        http.Error(w, err.Error(), 500)
        return
    }
    
    w.Write(result)
}

The vulnerability becomes apparent when a malicious user submits: search=' or 1=1 or 'a'='a. This transforms the XPath into:

/library/book[contains(title, '') or 1=1 or 'a'='a']

Since 1=1 is always true, the query returns all books, bypassing intended access controls.

Another Chi-specific pattern occurs when integrating with XML databases. Many Chi applications use middleware for database connections:

router := chi.NewRouter()
router.Use(databaseMiddleware)

router.Post("/api/books", func(w http.ResponseWriter, r *http.Request) {
    db := r.Context().Value("db").(*XMLDatabase)
    
    // Vulnerable: unescaped user input
    title := r.FormValue("title")
    author := r.FormValue("author")
    
    query := fmt.Sprintf("/books/book[title='%s' and author='%s']", title, author)
    
    books, err := db.Query(query)
    if err != nil {
        http.Error(w, "Query error", 500)
        return
    }
    
    json.NewEncoder(w).Encode(books)
})

An attacker could submit: title=' OR '1'='1 and author=' OR '1'='1, causing the XPath to return all books regardless of title or author.

Chi applications handling SOAP requests face similar risks. A SOAP endpoint might look like:

router.Post("/soap", func(w http.ResponseWriter, r *http.Request) {
    body, _ := ioutil.ReadAll(r.Body)
    
    // Parse SOAP request
    doc, _ := xmlquery.Parse(bytes.NewReader(body))
    
    // Extract user-controlled values
    userID := xmlquery.FindOne(doc, "//UserID").InnerText()
    
    // Vulnerable: direct interpolation
    xpath := fmt.Sprintf("/users/user[id=%s]", userID)
    
    result, _ := executeXPath(xpath)
    w.Write(result)
})

Submitting <UserID>1 or 1=1</UserID> would bypass authentication checks and return all user data.

Detecting XPath injection in Chi applications requires examining both code patterns and runtime behavior. Start with static analysis of your Chi route handlers:

grep -r "fmt\.Sprintf.*xpath\|fmt\.Sprintf.*xpath" ./routes

# Look for these dangerous patterns:
# - Direct string interpolation with user input
# - XPath queries built from URL parameters, form data, or request bodies
# - XML database queries without parameterization

# Use a tool like gosec or custom scripts to find:
# fmt.Sprintf("...%s...", userInput) where userInput comes from r.URL, r.Form, or r.Body

Runtime detection focuses on identifying unusual XPath query patterns. Monitor your application logs for:

2024/01/15 10:30:45 [WARN] Suspicious XPath: /books/book[title='' or 1=1 or 'a'='a']
2024/01/15 10:31:12 [ALERT] Multiple XPath boolean injections detected in 5 minutes

For automated security testing, middleBrick provides comprehensive XPath injection detection for Chi APIs. The scanner analyzes your API endpoints by:

• Submitting crafted payloads to identify injection points
• Testing boolean logic injection (' or 1=1 or ')
• Checking for blind XPath injection using conditional responses
• Analyzing error messages that reveal XPath structure

middleBrick's approach is particularly effective because it tests the actual runtime behavior of your Chi application without requiring source code access. Simply run:

middlebrick scan https://your-chi-api.com/api/books

# Or integrate into CI/CD:
# middlebrick scan --fail-below B --output json

The scanner will identify XPath injection vulnerabilities along with 11 other security checks, providing severity ratings and specific remediation guidance for your Chi application.

For production monitoring, implement request validation middleware in your Chi application:

func xpathSanitizationMiddleware(next http.Handler) http.Handler {
    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
        // Check for suspicious patterns in query parameters
        for key, values := range r.URL.Query() {
            for _, value := range values {
                if strings.Contains(value, "' or ") || strings.Contains(value, "' and ") {
                    http.Error(w, "Invalid input detected", 400)
                    return
                }
            }
        }
        next.ServeHTTP(w, r)
    })
}

router := chi.NewRouter()
router.Use(xpathSanitizationMiddleware)

This provides an additional layer of defense by blocking obvious injection attempts before they reach your business logic.

Remediating XPath injection in Chi applications requires eliminating string interpolation and using parameterized queries. The most effective approach is to use XML database libraries that support prepared statements or parameterized XPath expressions.

For eXist-db integration, use parameterized queries:

func handleBookSearch(w http.ResponseWriter, r *http.Request) {
    title := r.URL.Query().Get("title")
    author := r.URL.Query().Get("author")
    
    // Use parameterized query instead of string interpolation
    query := `xquery version "3.1";
              declare namespace output = "http://www.w3.org/2010/xslt-xquery-serialization";
              declare option output:method "json";
              
              let $books := //book[
                if ($title) then contains(title, $title) else true(),
                if ($author) then contains(author, $author) else true()
              ]
              return $books`
    
    // Use eXist-db's prepared statement support
    params := map[string]interface{}{
        "title": title,
        "author": author,
    }
    
    result, err := db.ExecuteParameterized(query, params)
    if err != nil {
        http.Error(w, "Query failed", 500)
        return
    }
    
    w.Header().Set("Content-Type", "application/json")
    w.Write(result)
}

For applications using Go's standard library for XML processing, validate and sanitize inputs:

func sanitizeXPathInput(input string) string {
    // Remove or encode dangerous characters
    input = strings.ReplaceAll(input, "'", "''") // Escape single quotes
    input = strings.ReplaceAll(input, "=", "")   // Remove equality operators
    input = strings.ReplaceAll(input, "or", "")   // Remove logical operators
    input = strings.ReplaceAll(input, "and", "")  // Remove logical operators
    
    // Additional validation based on expected format
    if !isValidXPathLiteral(input) {
        return "" // Return empty string for invalid input
    }
    
    return input
}

func isValidXPathLiteral(input string) bool {
    // Allow only alphanumeric, spaces, and basic punctuation
    matched, _ := regexp.MatchString(`^[a-zA-Z0-9\s.,-]*$`, input)
    return matched
}

// Usage in route handler
router.Get("/api/books", func(w http.ResponseWriter, r *http.Request) {
    title := sanitizeXPathInput(r.URL.Query().Get("title"))
    author := sanitizeXPathInput(r.URL.Query().Get("author"))
    
    // Now safe to use in query
    query := fmt.Sprintf("/books/book[contains(title, '%s') and contains(author, '%s')]", title, author)
    
    // Execute query safely...
})

For Chi applications using XML databases like BaseX, leverage built-in parameterization:

func handleSearchWithParameterization(w http.ResponseWriter, r *http.Request) {
    db := r.Context().Value("basex").(*BaseXClient)
    
    title := r.URL.Query().Get("title")
    
    // Use BaseX's parameter binding
    query := `declare variable $title external;
              //book[contains(title, $title)]`
    
    // Execute with parameters
    result, err := db.QueryWithParams(query, map[string]string{
        "title": title,
    })
    
    if err != nil {
        http.Error(w, "Search failed", 500)
        return
    }
    
    json.NewEncoder(w).Encode(result)
}

Implement a comprehensive security middleware for your Chi application:

type xpathSecurityMiddleware struct {
    next http.Handler
}

func (m *xpathSecurityMiddleware) ServeHTTP(w http.ResponseWriter, r *http.Request) {
    // Check request body for XML content
    if strings.Contains(r.Header.Get("Content-Type"), "xml") {
        body, err := ioutil.ReadAll(r.Body)
        if err != nil {
            http.Error(w, "Invalid request", 400)
            return
        }
        
        // Reset body for downstream handlers
        r.Body = ioutil.NopCloser(bytes.NewBuffer(body))
        
        // Scan for suspicious patterns
        if containsXPathInjectionPatterns(body) {
            http.Error(w, "Potential XPath injection detected", 400)
            return
        }
    }
    
    m.next.ServeHTTP(w, r)
}

func containsXPathInjectionPatterns(data []byte) bool {
    patterns := []string{
        "' or ", "' and ", "=' or", "=' and",
        "1=1", "1=0", "true()", "false()",
    }
    
    for _, pattern := range patterns {
        if bytes.Contains(data, []byte(pattern)) {
            return true
        }
    }
    return false
}

// Use in router
router := chi.NewRouter()
router.Use(&xpathSecurityMiddleware{next: router})

Finally, integrate middleBrick into your development workflow to continuously scan for XPath injection and other vulnerabilities:

# Install middleBrick CLI
npm install -g middlebrick

# Scan your Chi API
middlebrick scan https://api.your-app.com

# In CI/CD pipeline
middlebrick scan --fail-below B --output json > security-report.json

This combination of secure coding practices, input validation, parameterized queries, and automated scanning provides comprehensive protection against XPath injection in Chi applications.