CA5366: Use XmlReader For DataSet Read XML
| Property | Value |
|---|---|
| Rule ID | CA5366 |
| Title | Use XmlReader For DataSet Read XML |
| Category | Security |
| Fix is breaking or non-breaking | Non-breaking |
| Enabled by default in .NET 8 | No |
Cause
A Document Type Definition (DTD) defines the structure and the legal elements and attributes of an XML document. Referring to a DTD from an external resource could cause potential Denial of Service (DoS) attacks. Most readers cannot disable DTD processing and restrict external references loading except for System.Xml.XmlReader. Using these other readers to load XML by one of the following methods triggers this rule:
Rule description
Using a System.Data.DataSet to read XML with untrusted data may load dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD processing disabled.
How to fix violations
Use XmlReader or its derived classes to read XML.
When to suppress warnings
Suppress a warning from this rule when dealing with a trusted data source.
Suppress a warning
If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.
#pragma warning disable CA5366
// The code that's violating the rule is on this line.
#pragma warning restore CA5366
To disable the rule for a file, folder, or project, set its severity to none in the configuration file.
[*.{cs,vb}]
dotnet_diagnostic.CA5366.severity = none
For more information, see How to suppress code analysis warnings.
Pseudo-code examples
Violation
using System.Data;
using System.IO;
public class ExampleClass
{
public void ExampleMethod()
{
new DataSet().ReadXml(new FileStream("xmlFilename", FileMode.Open));
}
}
Solution
using System.Data;
using System.IO;
using System.Xml;
public class ExampleClass
{
public void ExampleMethod()
{
new DataSet().ReadXml(new XmlTextReader(new FileStream("xmlFilename", FileMode.Open)));
}
}
