csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override

profile photo of returntocorpreturntocorp
Author
unknown
Download Count*

XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.

Run Locally

Run in CI

Defintion

rules:
  - id: xmldocument-unsafe-parser-override
    mode: taint
    pattern-sources:
      - patterns:
          - pattern: $ARG
          - pattern-inside: |
              public $T $M(...,string $ARG,...){...}
    pattern-sinks:
      - patterns:
          - pattern: |
              $XMLDOCUMENT.$METHOD(...)
          - pattern-inside: |
              XmlDocument $XMLDOCUMENT = new XmlDocument(...);
              ...
              $XMLDOCUMENT.XmlResolver = new XmlUrlResolver(...);
              ...  
    message: XmlReaderSettings found with DtdProcessing.Parse on an XmlReader
      handling a string argument from a public method.  Enabling Document Type
      Definition (DTD) parsing may cause XML External Entity (XXE) injection if
      supplied with user-controllable data.
    languages:
      - csharp
    severity: WARNING
    metadata:
      category: security
      license: MIT
      references:
        - https://www.jardinesoftware.net/2016/05/26/xxe-and-net/
        - https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks
      technology:
        - .net
        - xml
      cwe:
        - "CWE-611: Improper Restriction of XML External Entity Reference"
      owasp:
        - A04:2017 - XML External Entities (XXE)
        - A05:2021 - Security Misconfiguration
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - vuln
      impact: MEDIUM
      likelihood: LOW
      confidence: MEDIUM

Examples

xmldocument-unsafe-parser-override.cs

public class Foo{
    public void LoadBad(string input)
    {
        string fileName = @"C:\Users\user\Documents\test.xml";
        XmlDocument xmlDoc = new XmlDocument();
        xmlDoc.XmlResolver = new XmlUrlResolver();
        // ruleid: xmldocument-unsafe-parser-override
        xmlDoc.Load(input);
        Console.WriteLine(xmlDoc.InnerText);

        Console.ReadLine();
    }

    public static void StaticLoadBad(string input)
    {
        string fileName = @"C:\Users\user\Documents\test.xml";
        XmlDocument xmlDoc = new XmlDocument();
        xmlDoc.XmlResolver = new XmlUrlResolver();
        // ruleid: xmldocument-unsafe-parser-override
        xmlDoc.Load(input);
        Console.WriteLine(xmlDoc.InnerText);

        Console.ReadLine();
    }
    
    public void LoadGood(string input)
    {
        XmlDocument xmlDoc = new XmlDocument();
        // ok: xmldocument-unsafe-parser-override
        xmlDoc.Load(input);
        Console.WriteLine(xmlDoc.InnerText);

        Console.ReadLine();
    }
}