CA3075: Insecure DTD Processing
Note
This article applies to Visual Studio 2015. If you're looking for the latest Visual Studio documentation, see Visual Studio documentation. We recommend upgrading to the latest version of Visual Studio. Download it here
| Item | Value |
|---|---|
| TypeName | InsecureDTDProcessing |
| CheckId | CA3075 |
| Category | Microsoft.Security |
| Breaking Change | Non Breaking |
Cause
If you use insecure DtdProcessing instances or reference external entity sources, the parser may accept untrusted input and disclose sensitive information to attackers.
Rule Description
A Document Type Definition (DTD) is one of two ways an XML parser can determine the validity of a document, as defined by the World Wide Web Consortium (W3C) Extensible Markup Language (XML) 1.0. This rule seeks properties and instances where untrusted data is accepted to warn developers about potential Information Disclosure threats, which may lead to Denial of Service (DoS) attacks. This rule triggers when:
DtdProcessing is enabled on the XmlReader instance, which resolves external XML entities using XmlUrlResolver.
The InnerXml property in the XML is set.
DtdProcessing property is set to Parse .
Untrusted input is processed using XmlResolver instead of XmlSecureResolver .
The XmlReader.Create method is invoked with an insecure XmlReaderSettings instance or no instance at all.
XmlReader is created with insecure default settings or values .
In each of these cases, the outcome is the same: the contents from either the file system or network shares from the machine where the XML is processed will be exposed to the attacker, which may then be used as a DoS vector.
How to Fix Violations
Catch and process all XmlTextReader exceptions properly to avoid path information disclosure .
Use the XmlSecureResolver to restrict the resources that the XmlTextReader can access.
Do not allow the XmlReader to open any external resources by setting the XmlResolver property to null.
Ensure that the DataViewSettingCollectionString property of DataViewManager is assigned from a trusted source.
.NET 3.5 and earlier
Disable DTD processing if you are dealing with untrusted sources by setting the ProhibitDtd property to true .
XmlTextReader class has a full trust inheritance demand. See Inheritance Demands for more information .
.NET 4 and later
Avoid enabling DtdProcessing if you're dealing with untrusted sources by setting the DtdProcessing property to Prohibit or Ignore
Ensure that the Load() method takes an XmlReader instance in all InnerXml cases.
Note
This rule might report false positives on some valid XmlSecureResolver instances. We're working on solving this issue by mid 2016.
When to Suppress Warnings
Unless you're sure that the input is known to be from a trusted source, do not suppress a rule from this warning.
Pseudo-code Examples
Violation
using System.IO;
using System.Xml.Schema;
class TestClass
{
public XmlSchema Test
{
get
{
var src = "";
TextReader tr = new StreamReader(src);
XmlSchema schema = XmlSchema.Read(tr, null); // warn
return schema;
}
}
}
Solution
using System.IO;
using System.Xml;
using System.Xml.Schema;
class TestClass
{
public XmlSchema Test
{
get
{
var src = "";
TextReader tr = new StreamReader(src);
XmlTextReader reader = new XmlTextReader(tr) { DtdProcessing = DtdProcessing.Prohibit };
XmlSchema schema = XmlSchema.Read(reader , null);
return schema;
}
}
}
Violation
using System.Xml;
namespace TestNamespace
{
public class TestClass
{
public XmlReaderSettings settings = new XmlReaderSettings();
public void TestMethod(string path)
{
var reader = XmlReader.Create(path, settings); // warn
}
}
}
Solution
using System.Xml;
namespace TestNamespace
{
public class TestClass
{
public XmlReaderSettings settings = new XmlReaderSettings()
{
DtdProcessing = DtdProcessing.Prohibit
};
public void TestMethod(string path)
{
var reader = XmlReader.Create(path, settings);
}
}
}
Violations
using System.Xml;
namespace TestNamespace
{
public class DoNotUseSetInnerXml
{
public void TestMethod(string xml)
{
XmlDocument doc = new XmlDocument() { XmlResolver = null };
doc.InnerXml = xml; // warn
}
}
}
using System.Xml;
namespace TestNamespace
{
public class DoNotUseLoadXml
{
public void TestMethod(string xml)
{
XmlDocument doc = new XmlDocument(){ XmlResolver = null };
doc.LoadXml(xml); // warn
}
}
}
Solution
using System.Xml;
public static void TestMethod(string xml)
{
XmlDocument doc = new XmlDocument() { XmlResolver = null };
System.IO.StringReader sreader = new System.IO.StringReader(xml);
XmlTextReader reader = new XmlTextReader(sreader) { DtdProcessing = DtdProcessing.Prohibit };
doc.Load(reader);
}
Violation
using System.IO;
using System.Xml;
using System.Xml.Serialization;
namespace TestNamespace
{
public class UseXmlReaderForDeserialize
{
public void TestMethod(Stream stream)
{
XmlSerializer serializer = new XmlSerializer(typeof(UseXmlReaderForDeserialize));
serializer.Deserialize(stream); // warn
}
}
}
Solution
using System.IO;
using System.Xml;
using System.Xml.Serialization;
namespace TestNamespace
{
public class UseXmlReaderForDeserialize
{
public void TestMethod(Stream stream)
{
XmlSerializer serializer = new XmlSerializer(typeof(UseXmlReaderForDeserialize));
XmlTextReader reader = new XmlTextReader(stream) { DtdProcessing = DtdProcessing.Prohibit } ;
serializer.Deserialize(reader );
}
}
}
Violation
using System.Xml;
using System.Xml.XPath;
namespace TestNamespace
{
public class UseXmlReaderForXPathDocument
{
public void TestMethod(string path)
{
XPathDocument doc = new XPathDocument(path); // warn
}
}
}
Solution
using System.Xml;
using System.Xml.XPath;
namespace TestNamespace
{
public class UseXmlReaderForXPathDocument
{
public void TestMethod(string path)
{
XmlTextReader reader = new XmlTextReader(path) { DtdProcessing = DtdProcessing.Prohibit };
XPathDocument doc = new XPathDocument(reader);
}
}
}
Violation
using System.Xml;
namespace TestNamespace
{
class TestClass
{
public XmlDocument doc = new XmlDocument() { XmlResolver = new XmlUrlResolver() };
}
}
Solution
using System.Xml;
namespace TestNamespace
{
class TestClass
{
public XmlDocument doc = new XmlDocument() { XmlResolver = null }; // or set to a XmlSecureResolver instance
}
}
Violations
using System.Xml;
namespace TestNamespace
{
public class TestClass
{
public void TestMethod(string path)
{
XmlReaderSettings settings = new XmlReaderSettings(){ DtdProcessing = DtdProcessing.Parse };
XmlReader reader = XmlReader.Create(path, settings); // warn
}
}
}
using System.Xml;
namespace TestNamespace
{
class TestClass
{
private static void TestMethod()
{
var reader = XmlTextReader.Create(""doc.xml""); //warn
}
}
}
using System.Xml;
namespace TestNamespace
{
public class TestClass
{
public void TestMethod(string path)
{
try {
XmlTextReader reader = new XmlTextReader(path); // warn
}
catch { throw ; }
finally {}
}
}
}
Solution
using System.Xml;
namespace TestNamespace
{
public class TestClass
{
public void TestMethod(string path)
{
XmlReaderSettings settings = new XmlReaderSettings(){ DtdProcessing = DtdProcessing.Prohibit };
XmlReader reader = XmlReader.Create(path, settings);
}
}
}