ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6399/rationale.adoc

14 lines
628 B
Plaintext
Raw Normal View History

Create rule S6399(C#): XML operations should not be vulnerable to injection attacks (#2860) You can preview this rule [here](https://sonarsource.github.io/rspec/#/rspec/S6399/csharp) (updated a few minutes after each push). ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: daniel-teuchert-sonarsource <daniel-teuchert-sonarsource@users.noreply.github.com> Co-authored-by: Daniel Teuchert <daniel.teuchert@sonarsource.com> Co-authored-by: daniel-teuchert-sonarsource <141642369+daniel-teuchert-sonarsource@users.noreply.github.com> Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com>
2023-08-18 11:31:42 +02:00
XML injections occur when an application builds an XML-formatted string from
user input without prior validation or sanitation. In such a case, a tainted
user-controlled value can tamper with the XML string content. Especially,
unexpected arbitrary elements and attributes can be inserted in the
corresponding XML description.
A malicious injection payload could, for example:
* Insert tags into the main XML document.
* Add attributes to an existing XML tag.
* Change the data value inside a tag.
A malicious user-supplied value can perform other modifications depending on
where and how the constructed data is later used.
Reference in New Issue Copy Permalink