Merge pull request #1 from aspectsecurity/alert-autofix-6

Potential fix for code scanning alert no. 6: XPath injection

Author: davewichers

src/main/java/org/owasp/benchmark/testcode/Benchmark00207.java

@@ -56,6 +56,7 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
                                     org.apache.commons.codec.binary.Base64.encodeBase64(
                                             param.getBytes())));
         }
+        final String bar2 = bar;
 
         try {
             java.io.FileInputStream file =
@@ -71,7 +72,17 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
             javax.xml.xpath.XPathFactory xpf = javax.xml.xpath.XPathFactory.newInstance();
             javax.xml.xpath.XPath xp = xpf.newXPath();
 
-            String expression = "/Employees/Employee[@emplid='" + bar + "']";
+            String expression = "/Employees/Employee[@emplid=$emplid]";
+            xp.setXPathVariableResolver(
+                    new javax.xml.xpath.XPathVariableResolver() {
+                        @Override
+                        public Object resolveVariable(javax.xml.namespace.QName variableName) {
+                            if ("emplid".equals(variableName.getLocalPart())) {
+                                return bar2;
+                            }
+                            return null;
+                        }
+                    });
             String result = xp.evaluate(expression, xmlDocument);
 
             response.getWriter().println("Your query results are: " + result + "<br/>");