Kaganapan
Mar 17, 9 PM - Mar 21, 10 AM
Sumali sa serye ng meetup upang bumuo ng mga scalable AI solusyon batay sa mga kaso ng paggamit ng tunay na mundo sa mga kapwa developer at eksperto.
Magparehistro naCA5372: Use XmlReader for XPathDocument
| Property | Value |
|---|---|
| Rule ID | CA5372 |
| Title | Use XmlReader for XPathDocument |
| Category | Security |
| Fix is breaking or non-breaking | Non-breaking |
| Enabled by default in .NET 9 | No |
Using the XPathDocument class instantiated without an XmlReader object can potentially lead to denial of service, information disclosure, and server-side request forgery attacks. These attacks are enabled by untrusted DTD and XML schema processing, which allows for the inclusion of XML bombs and malicious external entities in the XML. Only with XmlReader is it possible to disable DTD. Inline XML schema processing as XmlReader has the ProhibitDtd and ProcessInlineSchema property set to false by default in .NET Framework starting in version 4.0. The other options such as Stream, TextReader, and XmlSerializationReader cannot disable DTD processing.
Processing XML from untrusted data may load dangerous external references, which can be restricted by using an XmlReader with a secure resolver or with DTD processing disabled. This rule detects code that uses the XPathDocument class and doesn’t take XmlReader as a constructor parameter.
Use XPathDocument(XmlReader, *) constructors.
You can potentially suppress this warning if the XPathDocument object is used to process an XML file that comes from a trusted source and hence cannot be tampered with.
If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.
C#
#pragma warning disable CA5372
// The code that's violating the rule is on this line.
#pragma warning restore CA5372
To disable the rule for a file, folder, or project, set its severity to none in the configuration file.
ini
[*.{cs,vb}]
dotnet_diagnostic.CA5372.severity = none
For more information, see How to suppress code analysis warnings.
The following pseudo-code sample illustrates the pattern detected by this rule.
The type of the first parameter of XPathDocument is not XmlReader.
C#
using System.IO;
using System.Xml.XPath;
...
var obj = new XPathDocument(stream);
C#
using System.Xml;
using System.Xml.XPath;
...
public void TestMethod(XmlReader reader)
{
var obj = new XPathDocument(reader);
}
Makipagtulungan sa amin sa GitHub
Ang pinagmulan para sa content na ito ay mahahanap sa GitHub, kung saan maaari ka ring lumikha at sumuri ng mga isyu at mga pull request. Para sa higit pang impormasyon, tingnan ang aming gabay sa contributor.
Feedback sa .NET
Ang .NET ay isang open source na project. Pumili ng link para magbibigay ng feedback: