include::../description.adoc[] == Noncompliant Code Example System.Xml.XmlDocument ---- // .NET Framework < 4.5.2 XmlDocument parser = new XmlDocument(); // Noncompliant: XmlDocument is not safe by default parser.LoadXml("xxe.xml"); or // .NET Framework 4.5.2+ XmlDocument parser = new XmlDocument(); parser.XmlResolver = new XmlUrlResolver(); // Noncompliant: XmlDocument.XmlResolver configured with XmlUrlResolver that makes it unsafe parser.LoadXml("xxe.xml"); ---- System.Xml.XmlTextReader ---- // .NET Framework < 4.5.2 XmlTextReader reader = new XmlTextReader("xxe.xml"); // Noncompliant: XmlTextReady is not safe by default while (reader.Read()) { ... } or // .NET Framework 4.5.2+ XmlTextReader reader = new XmlTextReader("xxe.xml"); reader.XmlResolver = new XmlUrlResolver(); // Noncompliant: XmlTextRead.XmlResolver configured with XmlUrlResolver that makes it unsafe while (reader.Read()) { ... } ---- System.Xml.XmlReader ---- // .NET Framework 4.5.2+ XmlReaderSettings settings = new XmlReaderSettings(); settings.DtdProcessing = DtdProcessing.Parse; settings.XmlResolver = new XmlUrlResolver(); XmlReader reader = XmlReader.Create("xxe.xml", settings); // Noncompliant: XmlReader is safe by default and becomes unsafe if DtdProcessing = Parse and XmlResolver is not null while (reader.Read()) { ... } ---- System.Xml.XPath.XPathDocument ---- // prior to .NET 4.5.2 XPathDocument doc = new XPathDocument("example.xml"); // Noncompliant XPathNavigator nav = doc.CreateNavigator(); string xml = nav.InnerXml.ToString(); ---- == Compliant Solution System.Xml.XmlDocument ---- XmlDocument parser = new XmlDocument(); parser.XmlResolver = null; // Compliant: XmlResolver has been set to null parser.LoadXml("xxe.xml"); or XmlDocument parser = new XmlDocument(); // Compliant: XmlDocument is safe by default in .NET Framework 4.5.2+ because XmlResolver is set by default to null parser.LoadXml("xxe.xml"); ---- System.Xml.XmlTextReader ---- // .NET 4.5.2+ XmlTextReader reader = new XmlTextReader("xxe.xml"); // Compliant: XmlTextReader is safe by default in .NET Framework 4.5.2+ because XmlResolver is set by default to null while (reader.Read()) { ... } // .NET 4.0 to .NET 4.5.1 XmlTextReader reader = new XmlTextReader("xxe.xml"); reader.DtdProcessing = DtdProcessing.Prohibit; // Compliant: XmlTextReader is safe by default in .NET Framework 4.5.2+ because XmlResolver is set by default to null // < .NET 4.0 XmlTextReader reader = new XmlTextReader(stream); reader.ProhibitDtd = true; // Compliant: default is false ---- System.Xml.XmlReader ---- XmlReader reader = XmlReader.Create("xxe.xml"); // Compliant: XmlReader is safe by default while (reader.Read()) { ... } ---- System.Xml.XPath.XPathDocument ---- // prior to .NET 4.5.2 XmlReader reader = XmlReader.Create("example.xml"); XPathDocument doc = new XPathDocument(reader); // Compliant: XPathDocument is safe when being given a safe XmlReader XPathNavigator nav = doc.CreateNavigator(); string xml = nav.InnerXml.ToString(); ---- == See * https://www.owasp.org/index.php/Top_10-2017_A4-XML_External_Entities_(XXE)[OWASP Top 10 2017 Category A4] - XML External Entities (XXE) * https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#net[OWASP XXE Prevention Cheat Sheet] * http://cwe.mitre.org/data/definitions/611.html[MITRE, CWE-611] - Information Exposure Through XML External Entity Reference * http://cwe.mitre.org/data/definitions/827.html[MITRE, CWE-827] - Improper Control of Document Type Definition ifdef::env-github,rspecator-view[] == Comments And Links (visible only on this page) include::comments-and-links.adoc[] endif::env-github,rspecator-view[]