114 lines
3.5 KiB
Plaintext
114 lines
3.5 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
== Noncompliant Code Examples
|
|
|
|
System.Xml.XmlDocument
|
|
|
|
----
|
|
// .NET Framework < 4.5.2
|
|
XmlDocument parser = new XmlDocument(); // Noncompliant: XmlDocument is not safe by default
|
|
parser.LoadXml("xxe.xml");
|
|
|
|
or
|
|
|
|
// .NET Framework 4.5.2+
|
|
XmlDocument parser = new XmlDocument();
|
|
parser.XmlResolver = new XmlUrlResolver(); // Noncompliant: XmlDocument.XmlResolver configured with XmlUrlResolver that makes it unsafe
|
|
parser.LoadXml("xxe.xml");
|
|
----
|
|
|
|
System.Xml.XmlTextReader
|
|
|
|
----
|
|
// .NET Framework < 4.5.2
|
|
XmlTextReader reader = new XmlTextReader("xxe.xml"); // Noncompliant: XmlTextReady is not safe by default
|
|
while (reader.Read())
|
|
{ ... }
|
|
|
|
or
|
|
|
|
// .NET Framework 4.5.2+
|
|
XmlTextReader reader = new XmlTextReader("xxe.xml");
|
|
reader.XmlResolver = new XmlUrlResolver(); // Noncompliant: XmlTextRead.XmlResolver configured with XmlUrlResolver that makes it unsafe
|
|
while (reader.Read())
|
|
{ ... }
|
|
----
|
|
|
|
System.Xml.XmlReader
|
|
|
|
----
|
|
// .NET Framework 4.5.2+
|
|
XmlReaderSettings settings = new XmlReaderSettings();
|
|
settings.DtdProcessing = DtdProcessing.Parse;
|
|
settings.XmlResolver = new XmlUrlResolver();
|
|
XmlReader reader = XmlReader.Create("xxe.xml", settings); // Noncompliant: XmlReader is safe by default and becomes unsafe if DtdProcessing = Parse and XmlResolver is not null
|
|
while (reader.Read())
|
|
{ ... }
|
|
----
|
|
|
|
System.Xml.XPath.XPathDocument
|
|
|
|
----
|
|
// prior to .NET 4.5.2
|
|
XPathDocument doc = new XPathDocument("example.xml"); // Noncompliant
|
|
XPathNavigator nav = doc.CreateNavigator();
|
|
string xml = nav.InnerXml.ToString();
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
System.Xml.XmlDocument
|
|
|
|
----
|
|
XmlDocument parser = new XmlDocument();
|
|
parser.XmlResolver = null; // Compliant: XmlResolver has been set to null
|
|
parser.LoadXml("xxe.xml");
|
|
|
|
or
|
|
|
|
XmlDocument parser = new XmlDocument(); // Compliant: XmlDocument is safe by default in .NET Framework 4.5.2+ because XmlResolver is set by default to null
|
|
parser.LoadXml("xxe.xml");
|
|
----
|
|
|
|
System.Xml.XmlTextReader
|
|
|
|
----
|
|
// .NET 4.5.2+
|
|
XmlTextReader reader = new XmlTextReader("xxe.xml"); // Compliant: XmlTextReader is safe by default in .NET Framework 4.5.2+ because XmlResolver is set by default to null
|
|
while (reader.Read())
|
|
{ ... }
|
|
|
|
// .NET 4.0 to .NET 4.5.1
|
|
XmlTextReader reader = new XmlTextReader("xxe.xml");
|
|
reader.DtdProcessing = DtdProcessing.Prohibit; // Compliant: XmlTextReader is safe by default in .NET Framework 4.5.2+ because XmlResolver is set by default to null
|
|
|
|
// < .NET 4.0
|
|
XmlTextReader reader = new XmlTextReader(stream);
|
|
reader.ProhibitDtd = true; // Compliant: default is false
|
|
----
|
|
|
|
System.Xml.XmlReader
|
|
|
|
----
|
|
XmlReader reader = XmlReader.Create("xxe.xml"); // Compliant: XmlReader is safe by default
|
|
while (reader.Read())
|
|
{ ... }
|
|
----
|
|
|
|
System.Xml.XPath.XPathDocument
|
|
|
|
----
|
|
// prior to .NET 4.5.2
|
|
XmlReader reader = XmlReader.Create("example.xml");
|
|
XPathDocument doc = new XPathDocument(reader); // Compliant: XPathDocument is safe when being given a safe XmlReader
|
|
XPathNavigator nav = doc.CreateNavigator();
|
|
string xml = nav.InnerXml.ToString();
|
|
----
|
|
|
|
== See
|
|
|
|
* https://www.owasp.org/index.php/Top_10-2017_A4-XML_External_Entities_(XXE)[OWASP Top 10 2017 Category A4] - XML External Entities (XXE)
|
|
* https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#net[OWASP XXE Prevention Cheat Sheet]
|
|
* http://cwe.mitre.org/data/definitions/611.html[MITRE, CWE-611] - Information Exposure Through XML External Entity Reference
|
|
* http://cwe.mitre.org/data/definitions/827.html[MITRE, CWE-827] - Improper Control of Document Type Definition
|