csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override

rules:
  - id: xmldocument-unsafe-parser-override
    mode: taint
    pattern-sources:
      - patterns:
          - focus-metavariable: $ARG
          - pattern-inside: |
              public $T $M(...,string $ARG,...){...}
    pattern-sinks:
      - patterns:
          - pattern: |
              $XMLDOCUMENT.$METHOD(...)
          - pattern-inside: |
              XmlDocument $XMLDOCUMENT = new XmlDocument(...);
              ...
              $XMLDOCUMENT.XmlResolver = new XmlUrlResolver(...);
              ...  
    message: XmlReaderSettings found with DtdProcessing.Parse on an XmlReader
      handling a string argument from a public method. Enabling Document Type
      Definition (DTD) parsing may cause XML External Entity (XXE) injection if
      supplied with user-controllable data.
    languages:
      - csharp
    severity: WARNING
    metadata:
      category: security
      references:
        - https://www.jardinesoftware.net/2016/05/26/xxe-and-net/
        - https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks
      technology:
        - .net
        - xml
      cwe:
        - "CWE-611: Improper Restriction of XML External Entity Reference"
      owasp:
        - A04:2017 - XML External Entities (XXE)
        - A05:2021 - Security Misconfiguration
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - vuln
      impact: MEDIUM
      likelihood: LOW
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - XML Injection