rspec/rules/S2435/rule-except-see.adoc

Using unvalidated XML can expose an application to several types of XML-related attacks:

* XML injection - the structure and/or contents of the document are changed by the addition of extra elements
* XML entity expansion - the size of the document is ballooned by injecting elements that expand exponentially, exhausing server resources
* XML external entity injection - entities are injected which result dynamically including data from another source, such as a sensitive file on the filesystem.

This rule checks that method parameters are not unconditionally used directly in XML.


=== Noncompliant code example

[source,text]
----
private string writeXml(OleDbDataReader odr) {

  XmlTextWriter xTWriter = null;
  string key = String.Empty;
  string value = String.Empty;

  try 
  {
    while(oDR.Read()) 
    {
      key = odr.GetValue(0);
      value = odr.GetValue(1);
      xTWriter.WriteElementString(key, value);  // Noncompliant
    }
  }
}
----


=== Compliant solution

[source,text]
----

private string writeXml(OleDbDataReader odr) {

  XmlTextWriter xTWriter = null;
  string key = String.Empty;
  string value = String.Empty;

  try 
  {
    while(oDR.Read()) 
    {
      key = System.SecurityElement.Escape(odr.GetValue(0));
      value = System.SecurityElement.Escape(odr.GetValue(1));
      xTWriter.WriteElementString(key, value); 
    }
  }
}
----
RULEAPI-665: Remove security standards from the irrelevant language-specific rules (#362) 2021-09-21 15:40:35 +02:00			`Using unvalidated XML can expose an application to several types of XML-related attacks:`

			`* XML injection - the structure and/or contents of the document are changed by the addition of extra elements`
			`* XML entity expansion - the size of the document is ballooned by injecting elements that expand exponentially, exhausing server resources`
			`* XML external entity injection - entities are injected which result dynamically including data from another source, such as a sensitive file on the filesystem.`

			`This rule checks that method parameters are not unconditionally used directly in XML.`


migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Noncompliant code example`
RULEAPI-665: Remove security standards from the irrelevant language-specific rules (#362) 2021-09-21 15:40:35 +02:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,text]`
RULEAPI-665: Remove security standards from the irrelevant language-specific rules (#362) 2021-09-21 15:40:35 +02:00			`----`
			`private string writeXml(OleDbDataReader odr) {`

			`XmlTextWriter xTWriter = null;`
			`string key = String.Empty;`
			`string value = String.Empty;`

			`try`
			`{`
			`while(oDR.Read())`
			`{`
			`key = odr.GetValue(0);`
			`value = odr.GetValue(1);`
			`xTWriter.WriteElementString(key, value); // Noncompliant`
			`}`
			`}`
			`}`
			`----`


migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Compliant solution`
RULEAPI-665: Remove security standards from the irrelevant language-specific rules (#362) 2021-09-21 15:40:35 +02:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,text]`
RULEAPI-665: Remove security standards from the irrelevant language-specific rules (#362) 2021-09-21 15:40:35 +02:00			`----`

			`private string writeXml(OleDbDataReader odr) {`

			`XmlTextWriter xTWriter = null;`
			`string key = String.Empty;`
			`string value = String.Empty;`

			`try`
			`{`
			`while(oDR.Read())`
			`{`
			`key = System.SecurityElement.Escape(odr.GetValue(0));`
			`value = System.SecurityElement.Escape(odr.GetValue(1));`
			`xTWriter.WriteElementString(key, value);`
			`}`
			`}`
			`}`
			`----`