Rule Wars
All rules
CA5366Security Enabled by default: No

Use XmlReader For DataSet Read XML

Use XmlReader For DataSet Read XML

Microsoft docs

Description

Using a System.Data.DataSet to read XML with untrusted data may load dangerous external references, which should be restricted by using an System.Xml.XmlReader with a secure resolver or with DTD processing disabled.

Cause

A Document Type Definition (DTD) defines the structure and the legal elements and attributes of an XML document. Referring to a DTD from an external resource could cause potential Denial of Service (DoS) attacks. Most readers cannot disable DTD processing and restrict external references loading except for System.Xml.XmlReader. Using these other readers to load XML by one of the following methods triggers this rule:

  • System.Data.DataSet.ReadXml
  • System.Data.DataSet.ReadXmlSchema
  • System.Data.DataSet.ReadXmlSerializable

How to fix violations

Use System.Xml.XmlReader or its derived classes to read XML.

Example

using System.Data;
using System.IO;

public class ExampleClass
{
    public void ExampleMethod()
    {
        new DataSet().ReadXml(new FileStream("xmlFilename", FileMode.Open));
    }
}

using System.Data;
using System.IO;
using System.Xml;

public class ExampleClass
{
    public void ExampleMethod()
    {
        new DataSet().ReadXml(new XmlTextReader(new FileStream("xmlFilename", FileMode.Open)));
    }
}

When to suppress

Suppress a warning from this rule when dealing with a trusted data source.

Your vote
Join a group to vote
Group results
0 yes 0 no
ConsensusNone (disabled)
Severity preference (yes voters)
Suggestion0
Warning0
Error0