CA3077: Insecure Processing in API Design, XML Document and XML Text Reader
| Property | Value |
|---|---|
| Rule ID | CA3077 |
| Title | Insecure Processing in API Design, XML Document and XML Text Reader |
| Category | Security |
| Fix is breaking or non-breaking | Non-breaking |
| Enabled by default in .NET 8 | No |
Cause
When designing an API derived from XMLDocument and XMLTextReader, be mindful of DtdProcessing. Using insecure DTDProcessing instances when referencing or resolving external entity sources or setting insecure values in the XML may lead to information disclosure.
Rule description
A Document Type Definition (DTD) is one of two ways an XML parser can determine the validity of a document, as defined by the World Wide Web Consortium (W3C) Extensible Markup Language (XML) 1.0. This rule seeks properties and instances where untrusted data is accepted to warn developers about potential Information Disclosure threats, which may lead to Denial of Service (DoS) attacks. This rule triggers when:
XmlDocument or XmlTextReader classes use default resolver values for DTD processing .
No constructor is defined for the XmlDocument or XmlTextReader derived classes or no secure value is used for XmlResolver.
How to fix violations
Catch and process all XmlTextReader exceptions properly to avoid path information disclosure .
Use XmlSecureResolverinstead of XmlResolver to restrict the resources the XmlTextReader can access.
When to suppress warnings
Unless you're sure that the input is known to be from a trusted source, do not suppress a rule from this warning.
Suppress a warning
If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.
#pragma warning disable CA3077
// The code that's violating the rule is on this line.
#pragma warning restore CA3077
To disable the rule for a file, folder, or project, set its severity to none in the configuration file.
[*.{cs,vb}]
dotnet_diagnostic.CA3077.severity = none
For more information, see How to suppress code analysis warnings.
Pseudo-code examples
Violation
using System;
using System.Xml;
namespace TestNamespace
{
class TestClass : XmlDocument
{
public TestClass () {} // warn
}
class TestClass2 : XmlTextReader
{
public TestClass2() // warn
{
}
}
}
Solution
using System;
using System.Xml;
namespace TestNamespace
{
class TestClass : XmlDocument
{
public TestClass ()
{
XmlResolver = null;
}
}
class TestClass2 : XmlTextReader
{
public TestClass2()
{
XmlResolver = null;
}
}
}
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for