Use XmlReader for schema read
Use XmlReader for schema read
Microsoft docsDescription
Processing untrusted DTD and XML schemas may enable loading dangerous external references. Using an XmlReader with a secure resolver or with DTD and XML inline schema processing disabled restricts this. This rule detects code that uses the System.Xml.Schema.XmlSchema.Read method without XmlReader as a parameter.
Cause
Processing untrusted XML input with System.Xml.Schema.XmlSchema.Read instantiated without an XmlReader object can potentially lead to denial of service, information disclosure, and server-side request forgery attacks. These attacks are enabled by untrusted DTD and XML schema processing, which allows for the inclusion of XML bombs and malicious external entities in the XML. Only with XmlReader is it possible to disable DTD. Inline XML schema processing as XmlReader has the ProhibitDtd and ProcessInlineSchema property set to false by default in .NET Framework starting in version 4.0. The other options such as Stream, TextReader, and XmlSerializationReader cannot disable DTD processing.
How to fix violations
Use XmlSchema.Read(XmlReader, *) overloads.
Example
using System.IO;
using System.Xml.Schema;
...
public void TestMethod(Stream stream, ValidationEventHandler validationEventHandler)
{
XmlSchema.Read(stream, validationEventHandler);
}
using System.IO;
using System.Xml.Schema;
...
public void TestMethod(XmlReader reader, ValidationEventHandler validationEventHandler)
{
XmlSchema.Read(reader, validationEventHandler);
}When to suppress
You can potentially suppress this warning if the System.Xml.Schema.XmlSchema.Read method is always used to process XML that comes from a trusted source and hence cannot be tampered with.