title | description | ms.date | author | ms.author | dev_langs | f1_keywords | ||
---|---|---|---|---|---|---|---|---|
CA2350: Ensure DataTable.ReadXml()'s input is trusted (code analysis) |
Learn about code analysis rule CA2350: Ensure DataTable.ReadXml()'s input is trusted |
07/14/2020 |
dotpaul |
paulming |
|
|
Property | Value |
---|---|
Rule ID | CA2350 |
Title | Ensure DataTable.ReadXml()'s input is trusted |
Category | Security |
Fix is breaking or non-breaking | Non-breaking |
Enabled by default in .NET 8 | No |
The xref:System.Data.DataTable.ReadXml%2A?displayProperty=nameWithType method was called or referenced.
When deserializing a xref:System.Data.DataTable with untrusted input, an attacker can craft malicious input to perform a denial of service attack. There may be unknown remote code execution vulnerabilities.
For more information, see DataSet and DataTable security guidance.
- If possible, use Entity Framework rather than the xref:System.Data.DataTable.
- Make the serialized data tamper-proof. After serialization, cryptographically sign the serialized data. Before deserialization, validate the cryptographic signature. Protect the cryptographic key from being disclosed and design for key rotations.
[!INCLUDEinsecure-deserializers-common-safe-to-suppress]
If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.
#pragma warning disable CA2350
// The code that's violating the rule is on this line.
#pragma warning restore CA2350
To disable the rule for a file, folder, or project, set its severity to none
in the configuration file.
[*.{cs,vb}]
dotnet_diagnostic.CA2350.severity = none
For more information, see How to suppress code analysis warnings.
using System.Data;
public class ExampleClass
{
public DataTable MyDeserialize(string untrustedXml)
{
DataTable dt = new DataTable();
dt.ReadXml(untrustedXml);
}
}
CA2351: Ensure DataSet.ReadXml()'s input is trusted
CA2353: Unsafe DataSet or DataTable in serializable type
CA2355: Unsafe DataSet or DataTable in deserialized object graph
CA2356: Unsafe DataSet or DataTable in web deserialized object graph
CA2361: Ensure autogenerated class containing DataSet.ReadXml() is not used with untrusted data