“不安全的过载"表示“不安全的过载".警告 [英] "An insecure overload of" warning

问题描述

我有以下代码:

using (FileStream fs = new FileStream(path_to_xml, FileMode.Open))
{
    using (XmlReader xr = XmlReader.Create(fs))
    {
        // Do something with xr
    }
}

我收到警告

CA3075:XmlReader.Create的不安全重载，不接受XmlReaderSettings参数

CA3075: An insecure overload of XmlReader.Create which does not accept an XmlReaderSettings argument

如果我更改Create语句并像这样添加XmlReaderSettings:

If I change the Create statement and add an XmlReaderSettings like so:

using (XmlReader xr = XmlReader.Create(fs, new XmlReaderSettings()))

我收到警告

CA3075:提供了可能不安全的XmlReaderSettings实例到XmlReader.Create方法.

CA3075: A potentially insecure XmlReaderSettings instance is provided to XmlReader.Create method.

此警告的真正原因是什么，使它消失的正确方法是什么?

What is the actual cause of this warning and what is the proper way to make it go away?

我正在使用VS 2019 Preview 1.0

I'm using VS 2019 Preview 1.0

我以前从未见过此警告，所以也许它是VS 2019的新功能?

I have never seen this warning before and so perhaps it is new with VS 2019?

更新:我已经查看了此页面

UPDATE: I have already looked at this page https://docs.microsoft.com/en-us/visualstudio/code-quality/ca3075-insecure-dtd-processing?view=vs-2017 and most of the solutions say to set 'XmlReaderSettings(){ DtdProcessing = DtdProcessing.Prohibit }' and I still get the warning.

推荐答案

查看

Looking at the documentation of the warning explains the root cause and many possible fixes, but it boils down that the XML being readed can contain DTD references to potentially insecure places, and a carefully crafted document could represent a vulnerability. From the docs:

如果您使用不安全的DtdProcessing实例或引用外部实体源，则解析器可能会接受不受信任的输入并向攻击者披露敏感信息.

If you use insecure DtdProcessing instances or reference external entity sources, the parser may accept untrusted input and disclose sensitive information to attackers.

问题在于XmlReader和XmlReaderSettings类的默认设置都允许这种行为.由于默认设置会出现此问题，因此您需要明确设置一个安全选项，最终归结为将 DtdProcessing 设置为 DtdProcessing.Prohibit 或 XmlResolver 到 XmlSecureResolver .

The problem lies in that the default settings of both XmlReader and XmlReaderSettings classes allow for such behavior. As the default presents this problem, you need to explictly set to a safe option, that ultimately boils down to setting DtdProcessing to DtdProcessing.Prohibit or XmlResolver to a XmlSecureResolver.

返回您的代码，可以这样更改:

Back to your code, it can be changed as such:

using (XmlReader xr = XmlReader.Create(fs, new XmlReaderSettings() { DtdProcessing = DtdProcessing.Prohibit }))

或

using (XmlReader xr = XmlReader.Create(fs, new XmlReaderSettings() { XmlResolver = new XmlSecureResolver() }))

这篇关于“不安全的过载"表示“不安全的过载".警告的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！