csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults
semgrepAuthor
unknown
Download Count*
License
XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.
Run Locally
Run in CI
Defintion
rules:
- id: xmltextreader-unsafe-defaults
mode: taint
pattern-sources:
- patterns:
- focus-metavariable: $ARG
- pattern-inside: |
public $T $M(...,string $ARG,...){...}
pattern-sinks:
- patterns:
- pattern: |
$READER.$METHOD(...)
- pattern-not-inside: |
$READER.DtdProcessing = DtdProcessing.Prohibit;
...
- pattern-inside: |
XmlTextReader $READER = new XmlTextReader(...);
...
message: XmlReaderSettings found with DtdProcessing.Parse on an XmlReader
handling a string argument from a public method. Enabling Document Type
Definition (DTD) parsing may cause XML External Entity (XXE) injection if
supplied with user-controllable data.
languages:
- csharp
severity: WARNING
metadata:
category: security
references:
- https://www.jardinesoftware.net/2016/05/26/xxe-and-net/
- https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks
technology:
- .net
- xml
cwe:
- "CWE-611: Improper Restriction of XML External Entity Reference"
owasp:
- A04:2017 - XML External Entities (XXE)
- A05:2021 - Security Misconfiguration
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
impact: MEDIUM
likelihood: LOW
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- XML Injection
Examples
xmltextreader-unsafe-defaults.cs
namespace SomeNamespace{
public class Foo{
public void ReaderBad(string userInput)
{
XmlTextReader myReader = new XmlTextReader(new StringReader(userInput));
// ruleid: xmltextreader-unsafe-defaults
while (myReader.Read())
{
if (myReader.NodeType == XmlNodeType.Element)
{
// ruleid: xmltextreader-unsafe-defaults
Console.WriteLine(myReader.ReadElementContentAsString());
}
}
Console.ReadLine();
}
public static void StaticReaderBad(string userInput)
{
XmlTextReader myReader = new XmlTextReader(new StringReader(userInput));
// ruleid: xmltextreader-unsafe-defaults
while (myReader.Read())
{
if (myReader.NodeType == XmlNodeType.Element)
{
// ruleid: xmltextreader-unsafe-defaults
Console.WriteLine(myReader.ReadElementContentAsString());
}
}
Console.ReadLine();
}
public void ReaderGood(string userInput)
{
XmlTextReader myReader = new XmlTextReader(new StringReader(userInput));
myReader.DtdProcessing = DtdProcessing.Prohibit;
// ok: xmltextreader-unsafe-defaults
while (myReader.Read())
{
if (myReader.NodeType == XmlNodeType.Element)
{
// ok: xmltextreader-unsafe-defaults
Console.WriteLine(myReader.ReadElementContentAsString());
}
}
Console.ReadLine();
}
}
}Short Link: https://sg.run/xXjL