在强化扫描中报告缺少XML验证问题 [英] Missing XML validation issue reported in fortify scan
问题描述
Fortify Scan报告了以下行缺少XML验证。
XmlReader.Create(memoryStream)
输入字符串没有可用的XSD。我想在进入XmlReader.Create(memoryStream)之前验证memoryStream。有没有最好的方法在下面的代码中验证memoryStream for XML以满足Fortify Scan。
实际代码:
RequestSecurityTokenResponse resp;
使用(MemoryStream memoryStream = new MemoryStream(Convert.FromBase64String(tokenstring)))
使用(XmlReader xmlReader = XmlReader.Create(memoryStream))
{
WSTrust13ResponseSerializer serializer = 新 WSTrust13ResponseSerializer();
WSTrustSerializationContext serializationContext = new WSTrustSerializationContext();
resp = serializer.ReadXml(xmlReader,serializationContext);
}
Fortify说:
解析XML时未能启用验证会给攻击者提供恶意输入的机会。
最成功的攻击始于违反程序员的假设。通过接受XML文档而不根据DTD或XML模式验证它,程序员为攻击者留下了一扇门,以便提供意外,不合理或恶意的输入。 XML解析器不可能验证文档内容的所有方面;解析器无法理解数据的完整语义。但是,解析器可以完整而彻底地检查文档的结构,从而保证处理文档的代码内容格式正确。
我尝试了什么:
尝试在TryParsToXML(字符串)未解析时抛出错误。
我不明白...... Fortify确切地告诉你这是什么问题。但你不想遵循它吗?所以忽略它,并忍受安全风险或遵循建议 - 为您的数据创建一个合适的xsd进行验证。
顺便说一句。我提到过我认为强化是完全废话吗? ;)
我会做什么:忽略它直到我没有其他问题,而且在电视上观看并不好......
>
将XmlReaderSettings添加到XmlReader.Create方法。
请参考缺少XML验证|乱马客 - 点部落 [ ^
Fortify Scan reported Missing XML validation at below line.
XmlReader.Create(memoryStream)
There is no XSD available for input string. I want to validate memoryStream before it is going to XmlReader.Create(memoryStream). Is there any best way to validate memoryStream for XML in below code to satisfy Fortify Scan.
Actual code:
RequestSecurityTokenResponse resp;
using (MemoryStream memoryStream = new MemoryStream(Convert.FromBase64String(tokenstring)))
using (XmlReader xmlReader = XmlReader.Create(memoryStream))
{
WSTrust13ResponseSerializer serializer = new WSTrust13ResponseSerializer();
WSTrustSerializationContext serializationContext = new WSTrustSerializationContext();
resp = serializer.ReadXml(xmlReader, serializationContext);
}
Fortify Says:
Failure to enable validation when parsing XML gives an attacker the opportunity to supply malicious input.
Most successful attacks begin with a violation of the programmer's assumptions. By accepting an XML document without validating it against a DTD or XML schema, the programmer leaves a door open for attackers to provide unexpected, unreasonable, or malicious input. It is not possible for an XML parser to validate all aspects of a document's content; a parser cannot understand the complete semantics of the data. However, a parser can do a complete and thorough job of checking the document's structure and therefore guarantee to the code that processes the document that the content is well-formed.
What I have tried:
Tried to throw error when TryParsToXML(string) is not parsing.
I don't get it... Fortify exactly told you what's the problem. But you don't want to follow it? So ignore it, and live with the "security risk" or follow the recommendation - create a proper xsd for your data to verify against.
Btw. did I mention that I think fortify is total crap? ;)
What I would do: ignore it until I have no other problems, and it's nothing good on TV to watch...
add XmlReaderSettings to XmlReader.Create method.
please ref Missing XML Validation | 亂馬客 - 點部落[^]
这篇关于在强化扫描中报告缺少XML验证问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!