Rule Wars
All rules
CA2350Security Enabled by default: No

Ensure DataTable.ReadXml()'s input is trusted

Ensure DataTable.ReadXml()'s input is trusted

Microsoft docs

Description

When deserializing a System.Data.DataTable with untrusted input, an attacker can craft malicious input to perform a denial of service attack. There may be unknown remote code execution vulnerabilities.

For more information, see DataSet and DataTable security guidance.

Cause

The System.Data.DataTable.ReadXml method was called or referenced.

How to fix violations

  • If possible, use Entity Framework rather than the System.Data.DataTable.
  • Make the serialized data tamper-proof. After serialization, cryptographically sign the serialized data. Before deserialization, validate the cryptographic signature. Protect the cryptographic key from being disclosed and design for key rotations.

Example

using System.Data;

public class ExampleClass
{
    public DataTable MyDeserialize(string untrustedXml)
    {
        DataTable dt = new DataTable();
        dt.ReadXml(untrustedXml);
    }
}
Your vote
Join a group to vote
Group results
0 yes 0 no
ConsensusNone (disabled)
Severity preference (yes voters)
Suggestion0
Warning0
Error0