Dela via


CA3077: Insecure Processing in API Design, XML Document and XML Text Reader

Note

This article applies to Visual Studio 2015. If you're looking for the latest Visual Studio documentation, see Visual Studio documentation. We recommend upgrading to the latest version of Visual Studio. Download it here

Item Value
TypeName InsecureDTDProcessingInAPIDesign
CheckId CA3077
Category Microsoft.Security
Breaking Change Non Breaking

Cause

When designing an API derived from XMLDocument and XMLTextReader, be mindful of DtdProcessing. Using insecure DTDProcessing instances when referencing or resolving external entity sources or setting insecure values in the XML may lead to information disclosure.

Rule Description

A Document Type Definition (DTD) is one of two ways an XML parser can determine the validity of a document, as defined by the World Wide Web Consortium (W3C) Extensible Markup Language (XML) 1.0. This rule seeks properties and instances where untrusted data is accepted to warn developers about potential Information Disclosure threats, which may lead to Denial of Service (DoS) attacks. This rule triggers when:

  • XmlDocument or XmlTextReader classes use default resolver values for DTD processing .

  • No constructor is defined for the XmlDocument or XmlTextReader derived classes or no secure value is used for XmlResolver.

How to Fix Violations

  • Catch and process all XmlTextReader exceptions properly to avoid path information disclosure .

  • Use XmlSecureResolverinstead of XmlResolver to restrict the resources the XmlTextReader can access.

When to Suppress Warnings

Unless you're sure that the input is known to be from a trusted source, do not suppress a rule from this warning.

Pseudo-code Examples

Violation

using System;
using System.Xml;

namespace TestNamespace
{
    class TestClass : XmlDocument
    {
        public TestClass () {} // warn
    }

    class TestClass2 : XmlTextReader
    {
        public TestClass2() // warn
        {
        }
    }
}

Solution

using System;
using System.Xml;

namespace TestNamespace
{
    class TestClass : XmlDocument
    {
        public TestClass ()
        {
            XmlResolver = null;
        }
    }

    class TestClass2 : XmlTextReader
    {
        public TestClass2()
        {
               XmlResolver = null;
        }
    }
}