Skip to content

Latest commit

 

History

History
90 lines (67 loc) · 2.98 KB

ca5366.md

File metadata and controls

90 lines (67 loc) · 2.98 KB
Raw
title description ms.date author ms.author f1_keywords
CA5366: Use XmlReader For DataSet Read XML (code analysis)
Provides information about code analysis rule CA5366, including causes, how to fix violations, and when to suppress it.
04/30/2020
LLLXXXCCC
linche
CA5366

CA5366: Use XmlReader For DataSet Read XML

Property Value
Rule ID CA5366
Title Use XmlReader For DataSet Read XML
Category Security
Fix is breaking or non-breaking Non-breaking
Enabled by default in .NET 8 No

Cause

A Document Type Definition (DTD) defines the structure and the legal elements and attributes of an XML document. Referring to a DTD from an external resource could cause potential Denial of Service (DoS) attacks. Most readers cannot disable DTD processing and restrict external references loading except for xref:System.Xml.XmlReader?displayProperty=nameWithType. Using these other readers to load XML by one of the following methods triggers this rule:

  • xref:System.Data.DataSet.ReadXml%2A
  • xref:System.Data.DataSet.ReadXmlSchema%2A
  • xref:System.Data.DataSet.ReadXmlSerializable%2A

Rule description

Using a xref:System.Data.DataSet?displayProperty=nameWithType to read XML with untrusted data may load dangerous external references, which should be restricted by using an xref:System.Xml.XmlReader with a secure resolver or with DTD processing disabled.

How to fix violations

Use xref:System.Xml.XmlReader or its derived classes to read XML.

When to suppress warnings

Suppress a warning from this rule when dealing with a trusted data source.

Suppress a warning

If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.

#pragma warning disable CA5366
// The code that's violating the rule is on this line.
#pragma warning restore CA5366

To disable the rule for a file, folder, or project, set its severity to none in the configuration file.

[*.{cs,vb}]
dotnet_diagnostic.CA5366.severity = none

For more information, see How to suppress code analysis warnings.

Pseudo-code examples

Violation

using System.Data;
using System.IO;

public class ExampleClass
{
    public void ExampleMethod()
    {
        new DataSet().ReadXml(new FileStream("xmlFilename", FileMode.Open));
    }
}

Solution

using System.Data;
using System.IO;
using System.Xml;

public class ExampleClass
{
    public void ExampleMethod()
    {
        new DataSet().ReadXml(new XmlTextReader(new FileStream("xmlFilename", FileMode.Open)));
    }
}