hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
377fb00dea83549416b95929962f555395e7898f
codeql/csharp/ql/test/query-tests/Security Features/CWE-112/MissingXMLValidation.cs
Tamas Vajk 03d1a3e0ad Trim test files + remove duplicate newlines
2021-07-01 16:09:11 +02:00

56 lines
2.1 KiB
C#
Raw Blame History

using System;
using System.IO;
using System.Web;
using System.Xml;
using System.Xml.Schema;
public class MissingXMLValidationHandler : IHttpHandler
{
public void ProcessRequest(HttpContext ctx)
{
String userProvidedXml = ctx.Request.QueryString["userProvidedXml"];
// BAD: User provided XML is processed without any validation,
// because there is no settings instance configured.
XmlReader.Create(new StringReader(userProvidedXml));
// BAD: User provided XML is processed without any validation,
// because the settings instance does not specify the ValidationType
XmlReaderSettings badSettings1 = new XmlReaderSettings();
XmlReader.Create(new StringReader(userProvidedXml), badSettings1);
// BAD: User provided XML is processed without any validation,
// because the settings instance specifies DTD as the ValidationType
XmlReaderSettings badSettings2 = new XmlReaderSettings();
badSettings2.ValidationType = ValidationType.DTD;
XmlReader.Create(new StringReader(userProvidedXml), badSettings2);
// GOOD: User provided XML is processed with validation
XmlReaderSettings goodSettings = new XmlReaderSettings();
goodSettings.ValidationType = ValidationType.Schema;
XmlSchemaSet sc = new XmlSchemaSet();
sc.Add("urn:my-schema", "my.xsd");
goodSettings.Schemas = sc;
XmlReader.Create(new StringReader(userProvidedXml), goodSettings);
// BAD: Allows user specified schemas
XmlReaderSettings badSettings3 = new XmlReaderSettings();
badSettings3.ValidationType = ValidationType.Schema;
badSettings3.ValidationFlags = XmlSchemaValidationFlags.ProcessInlineSchema;
badSettings3.ValidationFlags |= XmlSchemaValidationFlags.ProcessSchemaLocation;
XmlSchemaSet sc2 = new XmlSchemaSet();
sc2.Add("urn:my-schema", "my.xsd");
goodSettings.Schemas = sc2;
XmlReader.Create(new StringReader(userProvidedXml), badSettings3);
}
public bool IsReusable
{
get
{
return true;
}
}
}
Reference in New Issue View Git Blame Copy Permalink