Xpath Injection in Chi with Dynamodb
Xpath Injection in Chi with Dynamodb — how this specific combination creates or exposes the vulnerability
XPath Injection becomes relevant in Chi when application logic builds XPath expressions dynamically using user-controlled data, even if the backend data store is Amazon DynamoDB. DynamoDB itself does not use XPath; the vulnerability arises in the application layer (Chi routes and handlers) where input is concatenated into XPath strings that may be used for XML transformation, configuration lookup, or legacy integration before data is written to or read from DynamoDB.
An attacker can inject malicious XPath fragments to alter query behavior, bypass filters, or extract unintended data. For example, an endpoint that accepts a user ID and builds an XPath to locate a configuration node can be manipulated with ' or 1=1 or 'a'='a to change predicate logic. Because DynamoDB stores structured but non-XML data, the risk is not in compromising the database query itself but in abusing XPath-dependent processing that may influence authorization checks, data serialization, or request routing in the Chi application.
Consider a Chi handler that receives a query parameter and uses it to construct an XPath expression to validate access rights against an XML configuration before retrieving an item from DynamoDB:
// Chi route with unsafe XPath construction
app.get('/config/:id', (req, res) => {
const userId = req.params.id;
const xpath = "//Config[userId/text()='" + userId + "']";
// Use xpath to filter or locate configuration before calling DynamoDB
const config = evaluateXPath(xpath);
if (!config) return res.status(403).send('Forbidden');
// Proceed to fetch item from DynamoDB using a safe, parameterized key
const item = dynamodb.get({ TableName: 'Settings', Key: { id: config.safeId } }).promise();
res.json(item);
});If the attacker sends /config/'; fn=//Config/fn/text();%20, the resulting XPath may execute unintended functions or retrieve arbitrary nodes, exposing configuration details that could inform further attacks against DynamoDB. Although DynamoDB queries remain parameterized and safe, the XPath layer introduces an injection vector that can leak sensitive metadata or bypass intended access controls.
middleBrick detects this pattern by analyzing the unauthenticated attack surface of the Chi application, flagging user input that reaches XPath construction without proper sanitization or strict schema validation. The scanner cross-references the OpenAPI specification with runtime behavior to highlight high-risk endpoints where dynamic XPath building intersects with data retrieval from DynamoDB, ensuring findings are actionable and tied to concrete remediation.
Dynamodb-Specific Remediation in Chi — concrete code fixes
Remediation focuses on removing XPath construction from user input and ensuring DynamoDB access uses parameterized keys. Do not concatenate user data into XPath expressions; instead, use a strict mapping from validated identifiers to DynamoDB keys or use precompiled XPath templates with whitelisted values.
1) Replace dynamic XPath with a lookup map
Validate the identifier against a known set and use it only as a DynamoDB key:
// Safe Chi route using a lookup map instead of XPath
const configMap = {
'app-config': { id: 'app-config', settings: { region: 'us-east-1' } },
'service-a': { id: 'service-a', settings: { region: 'eu-west-1' } }
};
app.get('/settings/:id', (req, res) => {
const id = req.params.id;
const config = configMap[id];
if (!config) return res.status(404).send('Not found');
// Safe DynamoDB call using the validated key
const item = dynamodb.get({ TableName: 'Settings', Key: { id: config.id } }).promise();
res.json(item);
});2) Use strict schema validation and allowlists
If you must accept selectors, validate them against an allowlist and map them to predefined XPath fragments on the server side:
// Chi route with allowlist validation
const allowed = new Set(['default', 'override']);
app.get('/prefs/:category/:selector', (req, res) => {
const category = req.params.category;
const selector = req.params.selector;
if (!allowed.has(selector)) return res.status(400).send('Invalid selector');
// Build XPath safely on server side only
const xpath = "//Config[category/@name='" + category + "']/" + selector;
const config = evaluateXPath(xpath); // server-controlled function
// Continue with DynamoDB using parameterized key derived from validated input
const item = dynamodb.get({ TableName: 'Settings', Key: { category, selector } }).promise();
res.json(item);
});3) Parameterize DynamoDB access and avoid XPath for access control
Use DynamoDB condition expressions or IAM policies for authorization rather than XPath-derived decisions:
// Chi route using DynamoDB condition checks instead of XPath
app.get('/item/:partition/:sort', async (req, res) => {
const { partition, sort } = req.params;
// Validate partition/sort format with regex or schema
if (!/^[a-zA-Z0-9_-]+$/.test(partition) || !/^[a-zA-Z0-9_-]+$/.test(sort)) {
return res.status(400).send('Invalid parameters');
}
const item = await dynamodb.get({
TableName: 'Items',
Key: { pk: partition, sk: sort },
ConditionExpression: 'attribute_exists(pk) AND attribute_exists(sk)'
}).promise();
res.json(item);
});By keeping XPath static or removing it entirely, and by using DynamoDB’s native key structure with strict input validation, the attack surface is minimized. middleBrick can verify these fixes by rescanning the Chi endpoints and confirming that user-controlled data no longer reaches XPath construction and that DynamoDB calls remain parameterized.