Rule Wars
All rules
CA3076Security Enabled by default: No

Insecure XSLT Script Execution

Insecure XSLT Script Execution

Microsoft docs

Description

*XSLT* is a World Wide Web Consortium (W3C) standard for transforming XML data. XSLT is typically used to write style sheets to transform XML data to other formats such as HTML, fixed-length text, comma-separated text, or a different XML format. Although prohibited by default, you might choose to enable it for your project.

To ensure you're not exposing an attack surface, this rule triggers whenever the XslCompiledTransform.System.Xml.Xsl.XslCompiledTransform.Load receives insecure combination instances of System.Xml.Xsl.XsltSettings and System.Xml.XmlResolver, which allows malicious script processing.

Cause

If you execute Extensible Stylesheets Language Transformations (XSLT) in .NET applications insecurely, the processor might resolve untrusted URI references that could disclose sensitive information to attackers, leading to denial of service and cross-site attacks. For more information, see XSLT Security Considerations (.NET Guide).

How to fix violations

  • Replace the insecure XsltSettings argument with System.Xml.Xsl.XsltSettings.Default or with an instance that's disabled document function and script execution.
  • Replace the System.Xml.XmlResolver argument with null or an System.Xml.XmlSecureResolver instance.

Example

using System.Xml;
using System.Xml.Xsl;

namespace TestNamespace
{
    class TestClass
    {
         void TestMethod()
        {
             XslCompiledTransform xslCompiledTransform = new XslCompiledTransform();
             var settings = XsltSettings.TrustedXslt;
             var resolver = new XmlUrlResolver();
             xslCompiledTransform.Load("testStylesheet", settings, resolver); // warn
        }
    }
}

using System.Xml;
using System.Xml.Xsl;

namespace TestNamespace
{
    class TestClass
    {
        void TestMethod()
        {
            XslCompiledTransform xslCompiledTransform = new XslCompiledTransform();
            var settings = XsltSettings.Default;
            var resolver = new XmlUrlResolver();
            xslCompiledTransform.Load("testStylesheet", settings, resolver);
        }
    }
}

using System.Xml;
using System.Xml.Xsl;

namespace TestNamespace
{
    class TestClass
    {
        private static void TestMethod(XsltSettings settings)
        {
            try
            {
                XslCompiledTransform xslCompiledTransform = new XslCompiledTransform();
                var resolver = new XmlUrlResolver();
                xslCompiledTransform.Load("testStylesheet", settings, resolver); // warn
            }
            catch { throw; }
            finally { }
        }
    }
}

using System.Xml;
using System.Xml.Xsl;

namespace TestNamespace
{
    class TestClass
    {
        private static void TestMethod(XsltSettings settings)
        {
            try
            {
                XslCompiledTransform xslCompiledTransform = new XslCompiledTransform();
                settings.EnableDocumentFunction = false;
                settings.EnableScript = false;
                var resolver = new XmlUrlResolver();
                xslCompiledTransform.Load("testStylesheet", settings, resolver);
            }
            catch { throw; }
            finally { }
        }
    }
}

When to suppress

Unless you're sure that the input is known to be from a trusted source, do not suppress a rule from this warning.

Your vote
Join a group to vote
Group results
0 yes 0 no
ConsensusNone (disabled)
Severity preference (yes voters)
Suggestion0
Warning0
Error0