codeql/csharp/ql/test/query-tests/Security Features/CWE-112/MissingXMLValidation.cs at b55526aa58a5b500fe5d1be2c7edd09075711d09 · github/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
//semmle-extractor-options: /r:System.Collections.Specialized.dll /r:System.Runtime.Extensions.dll ${testdir}/../../../resources/stubs/System.Web.cs /r:System.Xml.ReaderWriter.dll /r:System.Private.Xml.dll

using System;
using System.IO;
using System.Web;
using System.Xml;
using System.Xml.Schema;

public class MissingXMLValidationHandler : IHttpHandler
{

    public void ProcessRequest(HttpContext ctx)
    {
        String userProvidedXml = ctx.Request.QueryString["userProvidedXml"];

        // BAD: User provided XML is processed without any validation,
        //      because there is no settings instance configured.
        XmlReader.Create(new StringReader(userProvidedXml));

        // BAD: User provided XML is processed without any validation,
        //      because the settings instance does not specify the ValidationType
        XmlReaderSettings badSettings1 = new XmlReaderSettings();
        XmlReader.Create(new StringReader(userProvidedXml), badSettings1);

        // BAD: User provided XML is processed without any validation,
        //      because the settings instance specifies DTD as the ValidationType
        XmlReaderSettings badSettings2 = new XmlReaderSettings();
        badSettings2.ValidationType = ValidationType.DTD;
        XmlReader.Create(new StringReader(userProvidedXml), badSettings2);

        // GOOD: User provided XML is processed with validation
        XmlReaderSettings goodSettings = new XmlReaderSettings();
        goodSettings.ValidationType = ValidationType.Schema;
        XmlSchemaSet sc = new XmlSchemaSet();
        sc.Add("urn:my-schema", "my.xsd");
        goodSettings.Schemas = sc;
        XmlReader.Create(new StringReader(userProvidedXml), goodSettings);

        // BAD: Allows user specified schemas
        XmlReaderSettings badSettings3 = new XmlReaderSettings();
        badSettings3.ValidationType = ValidationType.Schema;
        badSettings3.ValidationFlags = XmlSchemaValidationFlags.ProcessInlineSchema;
        badSettings3.ValidationFlags |= XmlSchemaValidationFlags.ProcessSchemaLocation;
        XmlSchemaSet sc2 = new XmlSchemaSet();
        sc2.Add("urn:my-schema", "my.xsd");
        goodSettings.Schemas = sc2;
        XmlReader.Create(new StringReader(userProvidedXml), badSettings3);
    }

    public bool IsReusable
    {
        get
        {
            return true;
        }
    }
}