CA5371: Use XmlReader for schema read
Property | Value |
---|---|
Rule ID | CA5371 |
Title | Use XmlReader for schema read |
Category | Security |
Fix is breaking or non-breaking | Non-breaking |
Enabled by default in .NET 9 | No |
Cause
Processing untrusted XML input with XmlSchema.Read instantiated without an XmlReader
object can potentially lead to denial of service, information disclosure, and server-side request forgery attacks. These attacks are enabled by untrusted DTD and XML schema processing, which allows for the inclusion of XML bombs and malicious external entities in the XML. Only with XmlReader
is it possible to disable DTD. Inline XML schema processing as XmlReader
has the ProhibitDtd
and ProcessInlineSchema
property set to false by default in .NET Framework starting in version 4.0. The other options such as Stream
, TextReader
, and XmlSerializationReader
cannot disable DTD processing.
Rule description
Processing untrusted DTD and XML schemas may enable loading dangerous external references. Using an XmlReader
with a secure resolver or with DTD and XML inline schema processing disabled restricts this. This rule detects code that uses the XmlSchema.Read method without XmlReader
as a parameter.
How to fix violations
Use XmlSchema.Read(XmlReader, *)
overloads.
When to suppress warnings
You can potentially suppress this warning if the XmlSchema.Read method is always used to process XML that comes from a trusted source and hence cannot be tampered with.
Suppress a warning
If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.
#pragma warning disable CA5371
// The code that's violating the rule is on this line.
#pragma warning restore CA5371
To disable the rule for a file, folder, or project, set its severity to none
in the configuration file.
[*.{cs,vb}]
dotnet_diagnostic.CA5371.severity = none
For more information, see How to suppress code analysis warnings.
Pseudo-code examples
Violation
The following pseudo-code sample illustrates the pattern detected by this rule.
The type of the first parameter of XmlSchema.Read is not XmlReader
.
using System.IO;
using System.Xml.Schema;
...
public void TestMethod(Stream stream, ValidationEventHandler validationEventHandler)
{
XmlSchema.Read(stream, validationEventHandler);
}
Solution
using System.IO;
using System.Xml.Schema;
...
public void TestMethod(XmlReader reader, ValidationEventHandler validationEventHandler)
{
XmlSchema.Read(reader, validationEventHandler);
}