Reputation: 13297
C# validating XML with XSD without loading unvalidated XSD?
A security scan of our C# source reported "Missing XML Validation" as a possible injection flaw. It cited https://cwe.mitre.org/data/definitions/112.html and other sources.
Its recommendation was:
Always enable validation when you parse XML. If enabling validation causes problems because the rules for defining a well-formed document are Byzantine or altogether unknown, chances are good that there are security errors nearby.
Example: The following code demonstrates how to enable validation when using XmlReader.XmlReader
Settings settings = new XmlReaderSettings(); settings.Schemas.Add(schema); settings.ValidationType = ValidationType.Schema; StringReader sr = new StringReader(xmlDoc); XmlReader reader = XmlReader.Create(sr, settings);
I have an XSD schema available for validation. My question is, how do I load the XSD as an XmlSchema without duplicating the error of loading an XML file without validation?
If I read the XSD from the file system, I think I am just duplicating the same error (reading XML without validation). Is there a recommended way to do this?
Our first approach was to read the XSD from the file system, like:
XmlTextReader xsdReader = new XmlTextReader("MySchema.xsd"));
XmlSchema schema = XmlSchema.Read(xsdReader, ValidationCallback);
But, I believe this causes the same error, reading the XML (in this case the XSD) without validation.
The approach that we are using now (that I think will pass the security scan) is to load the XSD from an embedded resource.
Stream xsdStream = Assembly.GetAssembly(typeof(MyType))
.GetManifestResourceStream("MyNamespace.MySchema.xsd");
if (xsdStream == null) throw ...
XmlSchema schema = XmlSchema.Read(xsdStream, ValidationCallback);
We have not rescanned yet, but I suspect the embedded resource approach will pass. But, is there recommended or best practice approach to this?
Upvotes: 3
Views: 2015
Answers (1)
Reputation: 163587
Anyone who can write the phrase "If enabling validation causes problems because the rules for defining a well-formed document are Byzantine" is revealing that they know very little about XML; it seems they don't understand the difference between being valid and being well-formed, which is pretty fundamental. So you're having to find ways of getting around rules that aren't very smart. At this point you have to decide whether your objective is to make the system more secure, or to pass the security tests.
It's very hard to see what security vulnerabilities will be fixed by enabling validation.
Especially as you can write a schema that accepts any document as valid, and I bet your security tool will be happily content that you are obeying the rules even though you haven't increased security one iota.
When a schema processor loads a schema then it automatically validates that it is a valid schema. So there really isn't any risk. But whether your security scanner accepts that there isn't any risk is another matter entirely.
Upvotes: 1
Related Questions
- Validate XML without XSD
- C# validating a XML with a XSD
- Validate XML against XSD in a single method
- C# validate XML file using XSD file
- C# xml validation
- Validating an XML against an embedded XSD in C#
- Validate an XmlDocument using an XSD String in C#?
- How to validate an Xml using XSD
- Validate XML over XSD in C# with access to invalid element
- Validate XML with a XSD Schema without changing the XML using C#