csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults

profile photo of returntocorpreturntocorp
Author
unknown
Download Count*

XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.

Run Locally

Run in CI

Defintion

rules:
  - id: xmltextreader-unsafe-defaults
    mode: taint
    pattern-sources:
      - patterns:
          - pattern: $ARG
          - pattern-inside: |
              public $T $M(...,string $ARG,...){...}
    pattern-sinks:
      - patterns:
          - pattern: |
              $READER.$METHOD(...)
          - pattern-not-inside: |
              $READER.DtdProcessing = DtdProcessing.Prohibit;
              ...
          - pattern-inside: |
              XmlTextReader $READER = new XmlTextReader(...);
              ...
    message: XmlReaderSettings found with DtdProcessing.Parse on an XmlReader
      handling a string argument from a public method.  Enabling Document Type
      Definition (DTD) parsing may cause XML External Entity (XXE) injection if
      supplied with user-controllable data.
    languages:
      - csharp
    severity: WARNING
    metadata:
      category: security
      license: MIT
      references:
        - https://www.jardinesoftware.net/2016/05/26/xxe-and-net/
        - https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks
      technology:
        - .net
        - xml
      cwe:
        - "CWE-611: Improper Restriction of XML External Entity Reference"
      owasp:
        - A04:2017 - XML External Entities (XXE)
        - A05:2021 - Security Misconfiguration
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - vuln
      impact: MEDIUM
      likelihood: LOW
      confidence: MEDIUM

Examples

xmltextreader-unsafe-defaults.cs

namespace SomeNamespace{
    public class Foo{
        public void ReaderBad(string userInput)
        {
            XmlTextReader myReader = new XmlTextReader(new StringReader(userInput));

            // ruleid: xmltextreader-unsafe-defaults
            while (myReader.Read())
            {
                if (myReader.NodeType == XmlNodeType.Element)
                {
                    // ruleid: xmltextreader-unsafe-defaults
                    Console.WriteLine(myReader.ReadElementContentAsString());
                }
            }
            Console.ReadLine();
        }

        public static void StaticReaderBad(string userInput)
        {
            XmlTextReader myReader = new XmlTextReader(new StringReader(userInput));

            // ruleid: xmltextreader-unsafe-defaults
            while (myReader.Read())
            {
                if (myReader.NodeType == XmlNodeType.Element)
                {
                    // ruleid: xmltextreader-unsafe-defaults
                    Console.WriteLine(myReader.ReadElementContentAsString());
                }
            }
            Console.ReadLine();
        }

        public void ReaderGood(string userInput)
        {
            XmlTextReader myReader = new XmlTextReader(new StringReader(userInput));
            myReader.DtdProcessing = DtdProcessing.Prohibit;
            // ok: xmltextreader-unsafe-defaults
            while (myReader.Read())
            {
                if (myReader.NodeType == XmlNodeType.Element)
                {
                    // ok: xmltextreader-unsafe-defaults
                    Console.WriteLine(myReader.ReadElementContentAsString());
                }
            }
            Console.ReadLine();
        }
    }
}