Missing XML validation issue reported in fortify scan

Question

0.00/5 (No votes)

See more:

Fortify Scan reported Missing XML validation at below line.

XmlReader.Create(memoryStream)

There is no XSD available for input string. I want to validate memoryStream before it is going to XmlReader.Create(memoryStream). Is there any best way to validate memoryStream for XML in below code to satisfy Fortify Scan.

Actual code:

C#

RequestSecurityTokenResponse resp;
            using (MemoryStream memoryStream = new MemoryStream(Convert.FromBase64String(tokenstring)))
            using (XmlReader xmlReader = XmlReader.Create(memoryStream))
            {
                WSTrust13ResponseSerializer serializer = new WSTrust13ResponseSerializer();
                WSTrustSerializationContext serializationContext = new WSTrustSerializationContext();
                resp = serializer.ReadXml(xmlReader, serializationContext);
            }

Fortify Says:
Failure to enable validation when parsing XML gives an attacker the opportunity to supply malicious input.

Most successful attacks begin with a violation of the programmer's assumptions. By accepting an XML document without validating it against a DTD or XML schema, the programmer leaves a door open for attackers to provide unexpected, unreasonable, or malicious input. It is not possible for an XML parser to validate all aspects of a document's content; a parser cannot understand the complete semantics of the data. However, a parser can do a complete and thorough job of checking the document's structure and therefore guarantee to the code that processes the document that the content is well-formed.

What I have tried:

Tried to throw error when TryParsToXML(string) is not parsing.

Posted 11-Nov-16 1:41am

naveen_g

Updated 2-Feb-17 21:22pm

Add a Solution

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

johannesnestler · Answer 1 · 2016-11-14T01:48:00

I don't get it... Fortify exactly told you what's the problem. But you don't want to follow it? So ignore it, and live with the "security risk" or follow the recommendation - create a proper xsd for your data to verify against.

Btw. did I mention that I think fortify is total crap? ;)

What I would do: ignore it until I have no other problems, and it's nothing good on TV to watch...

Member 341595 · Answer 2 · 2017-02-02T21:22:00

Solution 2

add XmlReaderSettings to XmlReader.Create method.
please ref Missing XML Validation | 亂馬客 - 點部落[^]

Posted 2-Feb-17 21:22pm

Member 341595

Updated 2-Feb-17 21:23pm

v2