Reputation: 278
Fortify Command Injection fix
Fortify show me a Command Injection on the below code
XmlSerializer serializer = new XmlSerializer(typeof(T));
TextReader read = new StringReader(s);
System.Xml.XmlReaderSettings settings = new System.Xml.XmlReaderSettings();
settings.DtdProcessing = System.Xml.DtdProcessing.Prohibit;
settings.MaxCharactersFromEntities = 100;
System.Xml.XmlReader reader = System.Xml.XmlTextReader.Create(read, settings);
return (T)serializer.Deserialize(reader); //bad code
shows the vulnerability in the following line
return (T)serializer.Deserialize(reader); //bad code
How can I resolve this situation ?
Note : it doesn't give any error it says this line of code is suspicious
Upvotes: 0
Views: 861
Answers (1)
Reputation: 16689
This is a code style warning. There is no type checking or error handling around that line of code, most linters would pick up explicit casts as warnings by default because it is suspicious.
In your business process you might have justified reason to assume that the type will always cast to T or you might fully expect to catch the exception higer up, but in general explicit casts that are not wrapped with exception handling or challenged by type checking are indicators of lazy programming where you are brute forcing a conversion.
It is up to you how to proceed of course, but be aware of the risk that this line of code will result in a runtime error.
V580. Suspicious explicit type casting. Consider inspecting the expression.
Upvotes: 2
Related Questions
- How to Prevent XML External Entity Injection on TransformerFactory
- Fortify fix for XML External Entity Injection
- XML Injection C#
- HP fortify XML External Entity Injection
- Hp Fortify: Path Manipulation erroe
- How to fix ‘Path Manipulation’ issue from Fortify scan report for tthe following code sample
- Escaping inner quotes in attributes in malformed xml
- How to avoid XML injection
- XML Injection attacks
- Double escape XML File