在强化扫描中报告缺少XML验证问题 [英] Missing XML validation issue reported in fortify scan

问题描述

Fortify Scan报告了以下行缺少XML验证。

 XmlReader.Create（memoryStream）

输入字符串没有可用的XSD。我想在进入XmlReader.Create（memoryStream）之前验证memoryStream。有没有最好的方法在下面的代码中验证memoryStream for XML以满足Fortify Scan。



实际代码：

 RequestSecurityTokenResponse resp; 
 使用（MemoryStream memoryStream =  new  MemoryStream（Convert.FromBase64String（tokenstring）））
 使用（XmlReader xmlReader = XmlReader.Create（memoryStream））
 {
 WSTrust13ResponseSerializer serializer = 新 WSTrust13ResponseSerializer（）; 
 WSTrustSerializationContext serializationContext =  new  WSTrustSerializationContext（）; 
 resp = serializer.ReadXml（xmlReader，serializationContext）; 
} 

Fortify说：

解析XML时未能启用验证会给攻击者提供恶意输入的机会。



最成功的攻击始于违反程序员的假设。通过接受XML文档而不根据DTD或XML模式验证它，程序员为攻击者留下了一扇门，以便提供意外，不合理或恶意的输入。 XML解析器不可能验证文档内容的所有方面;解析器无法理解数据的完整语义。但是，解析器可以完整而彻底地检查文档的结构，从而保证处理文档的代码内容格式正确。



我尝试了什么：



尝试在TryParsToXML（字符串）未解析时抛出错误。

解决方案

我不明白...... Fortify确切地告诉你这是什么问题。但你不想遵循它吗？所以忽略它，并忍受安全风险或遵循建议 - 为您的数据创建一个合适的xsd进行验证。



顺便说一句。我提到过我认为强化是完全废话吗？ ;）



我会做什么：忽略它直到我没有其他问题，而且在电视上观看并不好......

将XmlReaderSettings添加到XmlReader.Create方法。

请参考缺少XML验证|乱马客 - 点部落 [ ^

Fortify Scan reported Missing XML validation at below line.

XmlReader.Create(memoryStream)

There is no XSD available for input string. I want to validate memoryStream before it is going to XmlReader.Create(memoryStream). Is there any best way to validate memoryStream for XML in below code to satisfy Fortify Scan.

Actual code:

RequestSecurityTokenResponse resp;
            using (MemoryStream memoryStream = new MemoryStream(Convert.FromBase64String(tokenstring)))
            using (XmlReader xmlReader = XmlReader.Create(memoryStream))
            {
                WSTrust13ResponseSerializer serializer = new WSTrust13ResponseSerializer();
                WSTrustSerializationContext serializationContext = new WSTrustSerializationContext();
                resp = serializer.ReadXml(xmlReader, serializationContext);
            }

Fortify Says:
Failure to enable validation when parsing XML gives an attacker the opportunity to supply malicious input.

Most successful attacks begin with a violation of the programmer's assumptions. By accepting an XML document without validating it against a DTD or XML schema, the programmer leaves a door open for attackers to provide unexpected, unreasonable, or malicious input. It is not possible for an XML parser to validate all aspects of a document's content; a parser cannot understand the complete semantics of the data. However, a parser can do a complete and thorough job of checking the document's structure and therefore guarantee to the code that processes the document that the content is well-formed.

What I have tried:

Tried to throw error when TryParsToXML(string) is not parsing.

解决方案

I don't get it... Fortify exactly told you what's the problem. But you don't want to follow it? So ignore it, and live with the "security risk" or follow the recommendation - create a proper xsd for your data to verify against.

Btw. did I mention that I think fortify is total crap? ;)

What I would do: ignore it until I have no other problems, and it's nothing good on TV to watch...

add XmlReaderSettings to XmlReader.Create method.
please ref Missing XML Validation | 亂馬客 - 點部落[^]

这篇关于在强化扫描中报告缺少XML验证问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！