hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
377fb00dea83549416b95929962f555395e7898f
codeql/csharp/ql/test/query-tests/Security Features/CWE-611/Test.cs
Tamas Vajk 03d1a3e0ad Trim test files + remove duplicate newlines
2021-07-01 16:09:11 +02:00

52 lines
1.7 KiB
C#
Raw Blame History

using System;
using System.Web;
using System.Web.Mvc;
using System.Xml;
public class XMLHandler : IHttpHandler
{
public void ProcessRequest(HttpContext ctx)
{
// BAD: XmlTextReader is insecure with these options, using user-provided data
XmlTextReader reader = new XmlTextReader(ctx.Request.QueryString["document"]) { DtdProcessing = DtdProcessing.Parse, XmlResolver = new XmlUrlResolver() };
}
public void insecureXMLBad(string content)
{
XmlReaderSettings settings = new XmlReaderSettings();
settings.DtdProcessing = DtdProcessing.Parse;
settings.XmlResolver = new XmlUrlResolver();
// BAD: insecure settings
XmlReader reader1 = XmlReader.Create(content, settings);
// BAD: XmlTextReader is insecure with these options
XmlTextReader reader2 = new XmlTextReader(content) { DtdProcessing = DtdProcessing.Parse, XmlResolver = new XmlUrlResolver() };
}
public void insecureXMLGood(string content)
{
// GOOD: XmlDocument is secure after 4.6
XmlDocument doc = new XmlDocument();
doc.LoadXml(content);
// GOOD: XmlTextReader is secure by default after 4.5.2
XmlTextReader reader = new XmlTextReader(content);
// GOOD: prohibit DTD processing
XmlTextReader reader1 = new XmlTextReader(content) { DtdProcessing = DtdProcessing.Prohibit };
// GOOD: set resolver to null
XmlTextReader reader2 = new XmlTextReader(content) { XmlResolver = null };
// GOOD: set resolver to null
XmlDocument doc2 = new XmlDocument() { XmlResolver = null };
doc2.LoadXml(content);
}
public bool IsReusable
{
get => true;
}
}
Reference in New Issue View Git Blame Copy Permalink