csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override

profile photo of returntocorpreturntocorp
Author
unknown
Download Count*

XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.

Run Locally

Run in CI

Defintion

rules:
  - id: xmlreadersettings-unsafe-parser-override
    mode: taint
    pattern-sources:
      - patterns:
          - pattern: $ARG
          - pattern-inside: |
              public $T $M(...,string $ARG,...){...}
    pattern-sinks:
      - patterns:
          - pattern: |
              XmlReader $READER = XmlReader.Create(...,$RS,...);
          - pattern-inside: |
              XmlReaderSettings $RS = new XmlReaderSettings();
              ...
              $RS.DtdProcessing = DtdProcessing.Parse;
              ...        
    message: XmlReaderSettings found with DtdProcessing.Parse on an XmlReader
      handling a string argument from a public method.  Enabling Document Type
      Definition (DTD) parsing may cause XML External Entity (XXE) injection if
      supplied with user-controllable data.
    languages:
      - csharp
    severity: WARNING
    metadata:
      category: security
      license: MIT
      references:
        - https://www.jardinesoftware.net/2016/05/26/xxe-and-net/
        - https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks
      technology:
        - .net
        - xml
      cwe:
        - "CWE-611: Improper Restriction of XML External Entity Reference"
      owasp:
        - A04:2017 - XML External Entities (XXE)
        - A05:2021 - Security Misconfiguration
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - vuln
      impact: MEDIUM
      likelihood: LOW
      confidence: MEDIUM

Examples

xmlreadersettings-unsafe-parser-override.cs

public void ParseBad(string input){
    XmlReaderSettings rs = new XmlReaderSettings();
    rs.DtdProcessing = DtdProcessing.Parse;

    // ruleid:xmlreadersettings-unsafe-parser-override
    XmlReader myReader = XmlReader.Create(new StringReader(input),rs);
            
    while (myReader.Read())
    {
        Console.WriteLine(myReader.Value);
    }
    Console.ReadLine();
}

public static void StaticParseBad(string input){
    XmlReaderSettings rs = new XmlReaderSettings();
    rs.DtdProcessing = DtdProcessing.Parse;

    // ruleid:xmlreadersettings-unsafe-parser-override
    XmlReader myReader = XmlReader.Create(new StringReader(input),rs);
            
    while (myReader.Read())
    {
        Console.WriteLine(myReader.Value);
    }
    Console.ReadLine();
}

public void ParseBad2(string input){
    XmlReaderSettings rs = new XmlReaderSettings();
    rs.DtdProcessing = DtdProcessing.Parse;

    // ruleid:xmlreadersettings-unsafe-parser-override
    XmlReader myReader = XmlReader.Create(input,rs);
            
    while (myReader.Read())
    {
        Console.WriteLine(myReader.Value);
    }
    Console.ReadLine();
}

public void ParseBad3(string input){
    XmlReaderSettings rs = new XmlReaderSettings();
    rs.DtdProcessing = DtdProcessing.Parse;

    using(var reader = new StringReader(input)){
        // ruleid:xmlreadersettings-unsafe-parser-override
        XmlReader myReader = XmlReader.Create(reader,rs);
                
        while (myReader.Read())
        {
            Console.WriteLine(myReader.Value);
        }
        Console.ReadLine();
    }
}

public void ParseGood(string input){
    XmlReaderSettings rs = new XmlReaderSettings();
    rs.DtdProcessing = DtdProcessing.Ignore;

    // ok: xmlreadersettings-unsafe-parser-override
    XmlReader myReader = XmlReader.Create(new StringReader(input),rs);
            
    while (myReader.Read())
    {
        Console.WriteLine(myReader.Value);
    }
    Console.ReadLine();
}

public void ParseGood2(string input){
    XmlReaderSettings rs = new XmlReaderSettings();
    // pre-override, not broken
    // ok: xmlreadersettings-unsafe-parser-override
    using(var reader = new StringReader(input,rs)){
        XmlReader myReader = XmlReader.Create(reader);
                
        while (myReader.Read())
        {
            Console.WriteLine(myReader.Value);
        }
        Console.ReadLine();
    }
    rs.DtdProcessing = DtdProcessing.Parse;

    // post-override, not providing reader settings, not broken
    // ok: xmlreadersettings-unsafe-parser-override
    using(var reader = new StringReader(input)){
        XmlReader myReader = XmlReader.Create(reader);
                
        while (myReader.Read())
        {
            Console.WriteLine(myReader.Value);
        }
        Console.ReadLine();
    }
}
public void ParseGood3(string input){
    XmlReaderSettings rs = new XmlReaderSettings();
    // ok: xmlreadersettings-unsafe-parser-override
    var something = input;
    rs.DtdProcessing = DtdProcessing.Parse;

    var notInput = someSafeLoad();
    // ok: xmlreadersettings-unsafe-parser-override
    XmlReader myReader = XmlReader.Create(new StringReader(notInput),rs);
            
    while (myReader.Read())
    {
        Console.WriteLine(myReader.Value);
    }
    Console.ReadLine();
}