gitlab.security_code_scan.SCS0007-1

unknown
Download Count*
License

The method identified is susceptible to injection. The input should be validated and properly escaped.

Run Locally

Run in CI

Defintion

rules:
  - id: security_code_scan.SCS0007-1
    mode: taint
    pattern-sanitizers:
      - pattern: (XmlReaderSettings $SETTINGS).ProhibitDtd = true;
      - pattern: (XmlReaderSettings $SETTINGS).DtdProcessing = DtdProcessing.Prohibit;
      - pattern: (XmlDocument $DOC).XmlResolver = null;
      - pattern: var $DOC = new XmlDocument { ..., XmlResolver = null, ... };
    pattern-sinks:
      - pattern: XmlReader.Create(..., $SETTINGS);
      - pattern: (XmlDocument $DOC).Load(...);
    pattern-sources:
      - pattern: var $SETTINGS = new XmlReaderSettings();
      - pattern: var $DOC = new XmlDocument(...);
      - pattern: var $DOC = new XmlDocument {...};
    message: >
      The method identified is susceptible to injection. The input should be
      validated and properly

      escaped.
    languages:
      - csharp
    severity: WARNING
    metadata:
      category: security
      cwe: "CWE-611: Improper Restriction of XML External Entity Reference (‘XXE’)"
      license: MIT