Skip to content

Latest commit

 

History

History
93 lines (64 loc) · 3.54 KB

ca2350.md

File metadata and controls

93 lines (64 loc) · 3.54 KB
Raw
title description ms.date author ms.author dev_langs f1_keywords
CA2350: Ensure DataTable.ReadXml()'s input is trusted (code analysis)
Learn about code analysis rule CA2350: Ensure DataTable.ReadXml()'s input is trusted
07/14/2020
dotpaul
paulming
CSharp
CA2350

CA2350: Ensure DataTable.ReadXml()'s input is trusted

Property Value
Rule ID CA2350
Title Ensure DataTable.ReadXml()'s input is trusted
Category Security
Fix is breaking or non-breaking Non-breaking
Enabled by default in .NET 8 No

Cause

The xref:System.Data.DataTable.ReadXml%2A?displayProperty=nameWithType method was called or referenced.

Rule description

When deserializing a xref:System.Data.DataTable with untrusted input, an attacker can craft malicious input to perform a denial of service attack. There may be unknown remote code execution vulnerabilities.

For more information, see DataSet and DataTable security guidance.

How to fix violations

  • If possible, use Entity Framework rather than the xref:System.Data.DataTable.
  • Make the serialized data tamper-proof. After serialization, cryptographically sign the serialized data. Before deserialization, validate the cryptographic signature. Protect the cryptographic key from being disclosed and design for key rotations.

When to suppress warnings

[!INCLUDEinsecure-deserializers-common-safe-to-suppress]

Suppress a warning

If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.

#pragma warning disable CA2350
// The code that's violating the rule is on this line.
#pragma warning restore CA2350

To disable the rule for a file, folder, or project, set its severity to none in the configuration file.

[*.{cs,vb}]
dotnet_diagnostic.CA2350.severity = none

For more information, see How to suppress code analysis warnings.

Pseudo-code examples

Violation

using System.Data;

public class ExampleClass
{
    public DataTable MyDeserialize(string untrustedXml)
    {
        DataTable dt = new DataTable();
        dt.ReadXml(untrustedXml);
    }
}

Related rules

CA2351: Ensure DataSet.ReadXml()'s input is trusted

CA2352: Unsafe DataSet or DataTable in serializable type can be vulnerable to remote code execution attacks

CA2353: Unsafe DataSet or DataTable in serializable type

CA2354: Unsafe DataSet or DataTable in deserialized object graph can be vulnerable to remote code execution attack

CA2355: Unsafe DataSet or DataTable in deserialized object graph

CA2356: Unsafe DataSet or DataTable in web deserialized object graph

CA2361: Ensure autogenerated class containing DataSet.ReadXml() is not used with untrusted data

CA2362: Unsafe DataSet or DataTable in autogenerated serializable type can be vulnerable to remote code execution attacks