Sündmused
17. märts, 21 - 21. märts, 10
Liituge sarjaga, et luua muude arendajate ja ekspertidega skaleeritavad tehisintellektilahendused, mis põhinevad reaalajas kasutusjuhtumitel.
Registreeruge koheCA5370: Use XmlReader for validating reader
| Property | Value |
|---|---|
| Rule ID | CA5370 |
| Title | Use XmlReader for validating reader |
| Category | Security |
| Fix is breaking or non-breaking | Non-breaking |
| Enabled by default in .NET 9 | No |
Validating untrusted XML input with the XmlValidatingReader class instantiated without an XmlReader object can potentially lead to denial of service, information disclosure, and server-side request forgery. These attacks are enabled by untrusted DTD and XML schema processing, which allows for the inclusion of XML bombs and malicious external entities in the XML. Only with XmlReader is it possible to disable DTD. Inline XML schema processing as XmlReader has the ProhibitDtd and ProcessInlineSchema property set to false by default in .NET Framework starting in version 4.0.
Processing untrusted DTD and XML schemas may enable loading dangerous external references. This dangerous loading can be restricted by using an XmlReader with a secure resolver or with DTD and XML inline schema processing disabled. This rule detects code that uses the XmlValidatingReader class without XmlReader as a constructor parameter.
- Use
XmlValidatingReader(XmlReader)withProhibitDtdandProcessInlineSchemaproperties set tofalse. - Starting in .NET Framework 2.0,
XmlValidatingReaderis considered obsolete. You can instantiate a validating reader with XmlReader.Create.
You can potentially suppress this warning if the XmlValidatingReader is always used to validate XML that comes from a trusted source and hence cannot be tampered with.
If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.
C#
#pragma warning disable CA5370
// The code that's violating the rule is on this line.
#pragma warning restore CA5370
To disable the rule for a file, folder, or project, set its severity to none in the configuration file.
ini
[*.{cs,vb}]
dotnet_diagnostic.CA5370.severity = none
For more information, see How to suppress code analysis warnings.
The following pseudo-code sample illustrates the pattern detected by this rule.
The type of the first parameter of XmlValidatingReader.XmlValidatingReader() is not XmlReader.
C#
using System;
using System.IO;
using System.Xml;
...
public void TestMethod(Stream xmlFragment, XmlNodeType fragType, XmlParserContext context)
{
var obj = new XmlValidatingReader(xmlFragment, fragType, context);
}
C#
using System;
using System.Xml;
...
public void TestMethod(XmlReader xmlReader)
{
var obj = new XmlValidatingReader(xmlReader);
}
Tehke meiega GitHubis koostööd
Selle sisu allika leiate GitHubist, kus saate ka probleeme luua ja läbi vaadata ning päringuid teha. Lisateavet leiate meie kaasautorite juhendist.
Toote „.NET“ tagasiside
.NET on avatud lähtekoodiga projekt. Tagasiside andmiseks valige link: