Edit

Share via

CA3077: Insecure Processing in API Design, XML Document and XML Text Reader

  • Article
Property Value
Rule ID CA3077
Title Insecure Processing in API Design, XML Document and XML Text Reader
Category Security
Fix is breaking or non-breaking Non-breaking
Enabled by default in .NET 8 No

Cause

When designing an API derived from XMLDocument and XMLTextReader, be mindful of DtdProcessing. Using insecure DTDProcessing instances when referencing or resolving external entity sources or setting insecure values in the XML may lead to information disclosure.

Rule description

A Document Type Definition (DTD) is one of two ways an XML parser can determine the validity of a document, as defined by the World Wide Web Consortium (W3C) Extensible Markup Language (XML) 1.0. This rule seeks properties and instances where untrusted data is accepted to warn developers about potential Information Disclosure threats, which may lead to Denial of Service (DoS) attacks. This rule triggers when:

  • XmlDocument or XmlTextReader classes use default resolver values for DTD processing .

  • No constructor is defined for the XmlDocument or XmlTextReader derived classes or no secure value is used for XmlResolver.

How to fix violations

  • Catch and process all XmlTextReader exceptions properly to avoid path information disclosure .

  • Use XmlSecureResolverinstead of XmlResolver to restrict the resources the XmlTextReader can access.

When to suppress warnings

Unless you're sure that the input is known to be from a trusted source, do not suppress a rule from this warning.

Suppress a warning

If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.

#pragma warning disable CA3077
// The code that's violating the rule is on this line.
#pragma warning restore CA3077

To disable the rule for a file, folder, or project, set its severity to none in the configuration file.

[*.{cs,vb}]
dotnet_diagnostic.CA3077.severity = none

For more information, see How to suppress code analysis warnings.

Pseudo-code examples

Violation

using System;
using System.Xml;

namespace TestNamespace
{
    class TestClass : XmlDocument
    {
        public TestClass () {} // warn
    }

    class TestClass2 : XmlTextReader
    {
        public TestClass2() // warn
        {
        }
    }
}

Solution

using System;
using System.Xml;

namespace TestNamespace
{
    class TestClass : XmlDocument
    {
        public TestClass ()
        {
            XmlResolver = null;
        }
    }

    class TestClass2 : XmlTextReader
    {
        public TestClass2()
        {
               XmlResolver = null;
        }
    }
}