jazzer
jazzer copied to clipboard
CodeIntelligenceTesting
Xpath sanitizer
@SyrasX Sorry for the long wait, I have been quite busy finishing up some larger refactorings and feature additions. I will have to brush up my knowledge of XPath and XML in general for a proper review. I hope to get to that by next week.
@fmeum No worries take as much time as you need. Maybe some additional info:
The current approch will not detect an injection if quotation marks in input are sanitized but the programm allows the input to directly build a querry instead of using somethin like this "//input[@id='firstName']". I personnaly would rate it rather unlikely.
The original plan was to use the Xpath.compile() function to check for correct syntax in a similar way to the SQL Injection Sanitizer. I just fear that since the XPathExpressionException is thrown because of reasons not strictly related to syntax, that we would report all the normally catched and handled exceptions without them being an injection.
You probably have to rebase on the latest main version and resolve the conflict to trigger a new pipeline run.
You probably have to rebase on the latest
mainversion and resolve the conflict to trigger a new pipeline run.
I don't think I can even trigger a pipeline run myself. Also getting to run the format.sh correctly last time took some time, so I just hope it's fine. If not please just run it yourself.
There seem to be conflicts with the main branch, at least that's why GitHub prevents a rebase and merge. Could you squash all commits and rebase on main? That should resolve the conflicts.