CSHARP.LIB.XML.INSEC_XSLT : Insecure XSLT Execution (C#)

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

CodeSonar^® 9.2p0

CONFIDENTIAL

CodeSecure Inc

CSHARP.LIB.XML.INSEC_XSLT : Insecure XSLT Execution (C#)

Summary

This checker finds code that parses XML files without turning off the loading and parsing of external entities referenced in the XML files. This can lead to security problems, since such entities might be downloaded from insecure servers or from servers that lead to out of memory or denial of service. As OWASP puts it, An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

Properties

Example

using System;
using System.IO;
using System.Xml;
using System.Xml.Linq;
using System.Xml.XPath;
using System.Xml.Xsl;

namespace DocumentationExamples
{

  public partial class Xxe
  {
    public static void Main(string[] args)
    { }

    public void UnsafeXmlReader(string xml)
    {
      XmlReader myReader = XmlReader.Create(new StringReader(xml), new XmlReaderSettings() { DtdProcessing = DtdProcessing.Parse });
      while (myReader.Read())                                                                       // Possible XML External Entity Reference (C#) warning issued here
      {
        Console.WriteLine(myReader.Value);
      }
    }
    public void UnsafeXmlTextReader(string xml)
    {
      XmlTextReader myReader = new XmlTextReader(new StringReader(xml));
      while (myReader.Read())                                                                       // Possible XML External Entity Reference (C#) warning issued here
      {
        Console.WriteLine(myReader.Value);
      }
    }
    public void UnsafeXmlDocumentReader(string xml)
    {
      XmlDocument xmlDoc = new XmlDocument
      {
        XmlResolver = new XmlUrlResolver()
      };
      xmlDoc.LoadXml(xml);                                                                          // Possible XML External Entity Reference (C#) warning issued here
    }
    public void UnsafeXPathNavigator(string xml)
    {
      XPathDocument doc = new XPathDocument(new StringReader(xml));
      XPathNavigator nav = doc.CreateNavigator();                                                   // Possible XML External Entity Reference (C#) warning issued here
    }
    public void UnsafeXslCompiledTransform(string input, string toTransform)
    {
      XslCompiledTransform xslt = new XslCompiledTransform();
      xslt.Load(XmlReader.Create(new StringReader(input),
                                 new XmlReaderSettings() { DtdProcessing = DtdProcessing.Parse })); //Possible XML External Entity Reference (C#) warning issued here 
      using (XmlWriter writer = XmlWriter.Create("books.html"))
        xslt.Transform(XmlReader.Create(new StringReader(toTransform),
                                        new XmlReaderSettings() { DtdProcessing = DtdProcessing.Parse }),
                       writer);                                                                     // Possible XML External Entity Reference (C#) warning issued here
    }
    public void UnsafeXDocument(string xml)
    {
      XmlReader myReader = XmlReader.Create(new StringReader(xml), new XmlReaderSettings() { DtdProcessing = DtdProcessing.Parse });
      XDocument xRoot = XDocument.Load(myReader);                                                   // Possible XML External Entity Reference (C#) warning issued here
    }
    public void UnsafeXmlDictionaryReader(string xml)
    {
      XmlReader myReader = XmlReader.Create(new StringReader(xml), new XmlReaderSettings() { DtdProcessing = DtdProcessing.Parse });
      XmlDictionaryReader reader = XmlDictionaryReader.CreateDictionaryReader(myReader);            // Possible XML External Entity Reference (C#) warning issued here
    }
    public void InsecureSettings(string stylesheet)
    {
      XslCompiledTransform xslCompiledTransform = new XslCompiledTransform();
      XsltSettings settings = XsltSettings.TrustedXslt;
      XmlUrlResolver resolver = new XmlUrlResolver();
      xslCompiledTransform.Load(stylesheet, settings, resolver);                                    // Insecure XSLT Execution (C#) warning issued here
    }
  }
}

Resolution

Turn off the automatic resolution and download of external entities referenced from XML files, before parsing such files. This can be done in different ways, depending on the kind of XML parser that is used. Check here for the correct solution for each kind of parsers.

Relevant Configuration File Parameters

The following configuration file parameters affect checks for this warning class.