Untrusted XML is read insecurely¶
ID: cs/xml/insecure-dtd-handlingKind: path-problemSecurity severity: 9.1Severity: errorPrecision: highTags: - security - external/cwe/cwe-611 - external/cwe/cwe-827 - external/cwe/cwe-776Query suites: - csharp-code-scanning.qls - csharp-security-extended.qls - csharp-security-and-quality.qls
Click to see the query in the CodeQL repository
XML documents can contain Document Type Definitions (DTDs), which may define new XML entities. These can be used to perform Denial of Service (DoS) attacks, or resolve to resources outside the intended sphere of control.
Recommendation¶
When processing XML documents, ensure that DTD processing is disabled unless absolutely necessary, and if it is necessary, ensure that a secure resolver is used.
Example¶
The following example shows an HTTP request parameter being read directly into anXmlTextReader. In the current version of the .NET Framework,XmlTextReader has DTD processing enabled by default.
publicclassXMLHandler:IHttpHandler{publicvoidProcessRequest(HttpContextctx){// BAD: XmlTextReader is insecure by default, and the payload is user-provided dataXmlTextReaderreader=newXmlTextReader(ctx.Request.QueryString["document"]);...}}
The solution is to set theDtdProcessing property toDtdProcessing.Prohibit.
References¶
Microsoft Docs:System.XML: Security considerations.
Common Weakness Enumeration:CWE-611.
Common Weakness Enumeration:CWE-827.
Common Weakness Enumeration:CWE-776.