CA3061: Do not add schema by URL

Property	Value
Rule ID	CA3061
Title	Do not add schema by URL
Category	Security
Fix is breaking or non-breaking	Non-breaking
Enabled by default in .NET 8	No

Cause

Overload of XmlSchemaCollection.Add(String, String) is using XmlUrlResolver to specify external XML schema in the form of an URI. If the URI String is tainted, it may lead to parsing of a malicious XML schema, which allows for the inclusion of XML bombs and malicious external entities. This could allow a malicious attacker to perform a denial of service, information disclosure, or server-side request forgery attack.

Rule description

Do not use the unsafe overload of the Add method because it may cause dangerous external references.

How to fix violations

• Do not use XmlSchemaCollection.Add(String, String).

When to suppress warnings

Suppress this rule if you are sure your XML does not resolve dangerous external references.

Suppress a warning

If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.

#pragma warning disable CA3061
// The code that's violating the rule is on this line.
#pragma warning restore CA3061

To disable the rule for a file, folder, or project, set its severity to none in the configuration file.

[*.{cs,vb}]
dotnet_diagnostic.CA3061.severity = none

For more information, see How to suppress code analysis warnings.

Pseudo-code examples

Violation

The following pseudo-code sample illustrates the pattern detected by this rule. The second parameter's type is string.

using System;
using System.Xml.Schema;
...
XmlSchemaCollection xsc = new XmlSchemaCollection();
xsc.Add("urn: bookstore - schema", "books.xsd");

Solution

using System;
using System.IO;
using System.Xml;
using System.Xml.Schema;
...
XmlSchemaCollection xsc = new XmlSchemaCollection();
xsc.Add("urn: bookstore - schema", new XmlTextReader(new FileStream(""xmlFilename"", FileMode.Open)));