title | description | ms.date | f1_keywords | |
---|---|---|---|---|
CA3076: Insecure XSLT Script Execution (code analysis) |
Learn about code analysis rule CA3076: Insecure XSLT Script Execution |
11/04/2016 |
|
Property | Value |
---|---|
Rule ID | CA3076 |
Title | Insecure XSLT Script Execution |
Category | Security |
Fix is breaking or non-breaking | Non-breaking |
Enabled by default in .NET 8 | No |
If you execute Extensible Stylesheets Language Transformations (XSLT) in .NET applications insecurely, the processor may resolve untrusted URI references that could disclose sensitive information to attackers, leading to Denial of Service and Cross-Site attacks. For more information, see XSLT Security Considerations(.NET Guide).
XSLT is a World Wide Web Consortium (W3C) standard for transforming XML data. XSLT is typically used to write style sheets to transform XML data to other formats such as HTML, fixed-length text, comma-separated text, or a different XML format. Although prohibited by default, you may choose to enable it for your project.
To ensure you're not exposing an attack surface, this rule triggers whenever the XslCompiledTransform.xref:System.Xml.Xsl.XslCompiledTransform.Load%2A receives insecure combination instances of xref:System.Xml.Xsl.XsltSettings and xref:System.Xml.XmlResolver, which allows malicious script processing.
-
Replace the insecure XsltSettings argument with XsltSettings.xref:System.Xml.Xsl.XsltSettings.Default%2A or with an instance that has disabled document function and script execution.
-
Replace the xref:System.Xml.XmlResolver argument with null or an xref:System.Xml.XmlSecureResolver instance.
Unless you're sure that the input is known to be from a trusted source, do not suppress a rule from this warning.
If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.
#pragma warning disable CA3076
// The code that's violating the rule is on this line.
#pragma warning restore CA3076
To disable the rule for a file, folder, or project, set its severity to none
in the configuration file.
[*.{cs,vb}]
dotnet_diagnostic.CA3076.severity = none
For more information, see How to suppress code analysis warnings.
using System.Xml;
using System.Xml.Xsl;
namespace TestNamespace
{
class TestClass
{
void TestMethod()
{
XslCompiledTransform xslCompiledTransform = new XslCompiledTransform();
var settings = XsltSettings.TrustedXslt;
var resolver = new XmlUrlResolver();
xslCompiledTransform.Load("testStylesheet", settings, resolver); // warn
}
}
}
using System.Xml;
using System.Xml.Xsl;
namespace TestNamespace
{
class TestClass
{
void TestMethod()
{
XslCompiledTransform xslCompiledTransform = new XslCompiledTransform();
var settings = XsltSettings.Default;
var resolver = new XmlUrlResolver();
xslCompiledTransform.Load("testStylesheet", settings, resolver);
}
}
}
using System.Xml;
using System.Xml.Xsl;
namespace TestNamespace
{
class TestClass
{
private static void TestMethod(XsltSettings settings)
{
try
{
XslCompiledTransform xslCompiledTransform = new XslCompiledTransform();
var resolver = new XmlUrlResolver();
xslCompiledTransform.Load("testStylesheet", settings, resolver); // warn
}
catch { throw; }
finally { }
}
}
}
using System.Xml;
using System.Xml.Xsl;
namespace TestNamespace
{
class TestClass
{
private static void TestMethod(XsltSettings settings)
{
try
{
XslCompiledTransform xslCompiledTransform = new XslCompiledTransform();
settings.EnableDocumentFunction = false;
settings.EnableScript = false;
var resolver = new XmlUrlResolver();
xslCompiledTransform.Load("testStylesheet", settings, resolver);
}
catch { throw; }
finally { }
}
}
}