title | description | ms.date | author | ms.author | f1_keywords | |
---|---|---|---|---|---|---|
CA5366: Use XmlReader For DataSet Read XML (code analysis) |
Provides information about code analysis rule CA5366, including causes, how to fix violations, and when to suppress it. |
04/30/2020 |
LLLXXXCCC |
linche |
|
Property | Value |
---|---|
Rule ID | CA5366 |
Title | Use XmlReader For DataSet Read XML |
Category | Security |
Fix is breaking or non-breaking | Non-breaking |
Enabled by default in .NET 8 | No |
A Document Type Definition (DTD) defines the structure and the legal elements and attributes of an XML document. Referring to a DTD from an external resource could cause potential Denial of Service (DoS) attacks. Most readers cannot disable DTD processing and restrict external references loading except for xref:System.Xml.XmlReader?displayProperty=nameWithType. Using these other readers to load XML by one of the following methods triggers this rule:
- xref:System.Data.DataSet.ReadXml%2A
- xref:System.Data.DataSet.ReadXmlSchema%2A
- xref:System.Data.DataSet.ReadXmlSerializable%2A
Using a xref:System.Data.DataSet?displayProperty=nameWithType to read XML with untrusted data may load dangerous external references, which should be restricted by using an xref:System.Xml.XmlReader with a secure resolver or with DTD processing disabled.
Use xref:System.Xml.XmlReader or its derived classes to read XML.
Suppress a warning from this rule when dealing with a trusted data source.
If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.
#pragma warning disable CA5366
// The code that's violating the rule is on this line.
#pragma warning restore CA5366
To disable the rule for a file, folder, or project, set its severity to none
in the configuration file.
[*.{cs,vb}]
dotnet_diagnostic.CA5366.severity = none
For more information, see How to suppress code analysis warnings.
using System.Data;
using System.IO;
public class ExampleClass
{
public void ExampleMethod()
{
new DataSet().ReadXml(new FileStream("xmlFilename", FileMode.Open));
}
}
using System.Data;
using System.IO;
using System.Xml;
public class ExampleClass
{
public void ExampleMethod()
{
new DataSet().ReadXml(new XmlTextReader(new FileStream("xmlFilename", FileMode.Open)));
}
}