Missing XML validation¶
ID: cs/xml/missing-validationKind: path-problemSecurity severity: 4.3Severity: recommendationPrecision: highTags: - security - external/cwe/cwe-112Query suites: - csharp-security-extended.qls - csharp-security-and-quality.qls
Click to see the query in the CodeQL repository
If unsanitized user input is processed as XML, it should be validated against a known schema. If no validation occurs, or if the validation relies on the schema or DTD specified in the document itself, then the XML document may contain any data in any form, which may invalidate assumptions the program later makes.
Recommendation¶
All XML provided by a user should be validated against a known schema when it is processed.
If usingXmlReader.Create, you should always pass an instance ofXmlReaderSettings, with the following properties:
ValidationTypemust be set toSchema. If this property is unset, no validation occurs. If it is set toDTD, the document is only validated against the DTD specified in the user-provided document itself - which could be specified as anything by a malicious user.ValidationFlagsmust not includeProcessInlineSchemaorProcessSchemaLocation. These flags allow a user to provide their own inline schema or schema location for validation, allowing a malicious user to bypass the known schema validation.
Example¶
In the following example, text provided by a user is loaded usingXmlReader.Create. In the first three examples, insufficient validation occurs, because either no validation is specified, or validation is only specified against a DTD provided by the user, or the validation permits a user to provide an inline schema. In the final example, a known schema is provided, and validation is set, using an instance ofXmlReaderSettings. This ensures that the user input is properly validated against the known schema.
usingSystem;usingSystem.IO;usingSystem.Web;usingSystem.Xml;usingSystem.Xml.Schema;publicclassMissingXmlValidationHandler:IHttpHandler{publicvoidProcessRequest(HttpContextctx){StringuserProvidedXml=ctx.Request.QueryString["userProvidedXml"];// BAD: User provided XML is processed without any validation,// because there is no settings instance configured.XmlReader.Create(newStringReader(userProvidedXml));// BAD: User provided XML is processed without any validation,// because the settings instance specifies DTD as the ValidationTypeXmlReaderSettingsbadSettings=newXmlReaderSettings();badSettings.ValidationType=ValidationType.DTD;XmlReader.Create(newStringReader(userProvidedXml),badSettings);// BAD: User provided XML is processed with validation, but the ProcessInlineSchema// option is specified, so an attacker can provide their own schema to validate// against.XmlReaderSettingsbadInlineSettings=newXmlReaderSettings();badInlineSettings.ValidationType=ValidationType.Schema;badInlineSettings.ValidationFlags|=XmlSchemaValidationFlags.ProcessInlineSchema;XmlReader.Create(newStringReader(userProvidedXml),badInlineSettings);// GOOD: User provided XML is processed with validationXmlReaderSettingsgoodSettings=newXmlReaderSettings();goodSettings.ValidationType=ValidationType.Schema;goodSettings.Schemas=newXmlSchemaSet(){{"urn:my-schema","my.xsd"}};XmlReader.Create(newStringReader(userProvidedXml),goodSettings);}}
References¶
Common Weakness Enumeration:CWE-112.