Xml External Entity High

External XML entities are a feature of XML parsers that allow documents to contain references to other documents or data. This feature can be abused to read files, communicate with external hosts, exfiltrate data, or cause a Denial of Service (DoS).

Detector ID
csharp/xml-external-entity@v1.0
Category
Common Weakness Enumeration (CWE) external icon
Tags
-

Noncompliant example

1public void XmlExternalEntityNoncompliant(string str)
2{
3    XmlReaderSettings readersetting = new XmlReaderSettings();
4    // Noncompliant: `DtdProcessing.Parse` enables DTD processing.
5    readersetting.DtdProcessing = DtdProcessing.Parse;
6    XmlReader reader = XmlReader.Create(new StringReader(str),readersetting);
7    
8    while (reader.Read())
9    {
10        Console.WriteLine(reader.Value);
11    }
12    Console.ReadLine();
13}

Compliant example

1public void XmlExternalEntityCompliant(string str)
2{
3    XmlReaderSettings readersetting = new XmlReaderSettings();
4    // Compliant: `DtdProcessing.Ignore` disables DTD processing without warnings or exceptions.
5    readersetting.DtdProcessing = DtdProcessing.Ignore;
6    XmlReader reader = XmlReader.Create(new StringReader(str),readersetting);
7    
8    while (reader.Read())
9    {
10        Console.WriteLine(reader.Value);
11    }
12    Console.ReadLine();
13}