csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override
semgrep
Author
unknown
Download Count*
License
XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.
Run Locally
Run in CI
Defintion
rules:
- id: xmlreadersettings-unsafe-parser-override
mode: taint
pattern-sources:
- patterns:
- focus-metavariable: $ARG
- pattern-inside: |
public $T $M(...,string $ARG,...){...}
pattern-sinks:
- patterns:
- pattern: |
XmlReader $READER = XmlReader.Create(...,$RS,...);
- pattern-inside: |
XmlReaderSettings $RS = new XmlReaderSettings();
...
$RS.DtdProcessing = DtdProcessing.Parse;
...
message: XmlReaderSettings found with DtdProcessing.Parse on an XmlReader
handling a string argument from a public method. Enabling Document Type
Definition (DTD) parsing may cause XML External Entity (XXE) injection if
supplied with user-controllable data.
languages:
- csharp
severity: WARNING
metadata:
category: security
references:
- https://www.jardinesoftware.net/2016/05/26/xxe-and-net/
- https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks
technology:
- .net
- xml
cwe:
- "CWE-611: Improper Restriction of XML External Entity Reference"
owasp:
- A04:2017 - XML External Entities (XXE)
- A05:2021 - Security Misconfiguration
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
impact: MEDIUM
likelihood: LOW
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- XML Injection
Examples
xmlreadersettings-unsafe-parser-override.cs
public void ParseBad(string input){
XmlReaderSettings rs = new XmlReaderSettings();
rs.DtdProcessing = DtdProcessing.Parse;
// ruleid:xmlreadersettings-unsafe-parser-override
XmlReader myReader = XmlReader.Create(new StringReader(input),rs);
while (myReader.Read())
{
Console.WriteLine(myReader.Value);
}
Console.ReadLine();
}
public static void StaticParseBad(string input){
XmlReaderSettings rs = new XmlReaderSettings();
rs.DtdProcessing = DtdProcessing.Parse;
// ruleid:xmlreadersettings-unsafe-parser-override
XmlReader myReader = XmlReader.Create(new StringReader(input),rs);
while (myReader.Read())
{
Console.WriteLine(myReader.Value);
}
Console.ReadLine();
}
public void ParseBad2(string input){
XmlReaderSettings rs = new XmlReaderSettings();
rs.DtdProcessing = DtdProcessing.Parse;
// ruleid:xmlreadersettings-unsafe-parser-override
XmlReader myReader = XmlReader.Create(input,rs);
while (myReader.Read())
{
Console.WriteLine(myReader.Value);
}
Console.ReadLine();
}
public void ParseBad3(string input){
XmlReaderSettings rs = new XmlReaderSettings();
rs.DtdProcessing = DtdProcessing.Parse;
using(var reader = new StringReader(input)){
// ruleid:xmlreadersettings-unsafe-parser-override
XmlReader myReader = XmlReader.Create(reader,rs);
while (myReader.Read())
{
Console.WriteLine(myReader.Value);
}
Console.ReadLine();
}
}
public void ParseGood(string input){
XmlReaderSettings rs = new XmlReaderSettings();
rs.DtdProcessing = DtdProcessing.Ignore;
// ok: xmlreadersettings-unsafe-parser-override
XmlReader myReader = XmlReader.Create(new StringReader(input),rs);
while (myReader.Read())
{
Console.WriteLine(myReader.Value);
}
Console.ReadLine();
}
public void ParseGood2(string input){
XmlReaderSettings rs = new XmlReaderSettings();
// pre-override, not broken
// ok: xmlreadersettings-unsafe-parser-override
using(var reader = new StringReader(input,rs)){
XmlReader myReader = XmlReader.Create(reader);
while (myReader.Read())
{
Console.WriteLine(myReader.Value);
}
Console.ReadLine();
}
rs.DtdProcessing = DtdProcessing.Parse;
// post-override, not providing reader settings, not broken
// ok: xmlreadersettings-unsafe-parser-override
using(var reader = new StringReader(input)){
XmlReader myReader = XmlReader.Create(reader);
while (myReader.Read())
{
Console.WriteLine(myReader.Value);
}
Console.ReadLine();
}
}
public void ParseGood3(string input){
XmlReaderSettings rs = new XmlReaderSettings();
// ok: xmlreadersettings-unsafe-parser-override
var something = input;
rs.DtdProcessing = DtdProcessing.Parse;
var notInput = someSafeLoad();
// ok: xmlreadersettings-unsafe-parser-override
XmlReader myReader = XmlReader.Create(new StringReader(notInput),rs);
while (myReader.Read())
{
Console.WriteLine(myReader.Value);
}
Console.ReadLine();
}
Short Link: https://sg.run/wXjA