Fortify Scan reported Missing XML validation at below line.
XmlReader.Create(memoryStream)
There is no XSD available for input string. I want to validate memoryStream before it is going to XmlReader.Create(memoryStream). Is there any best way to validate memoryStream for XML in below code to satisfy Fortify Scan.
Actual code:
RequestSecurityTokenResponse resp;
using (MemoryStream memoryStream = new MemoryStream(Convert.FromBase64String(tokenstring)))
using (XmlReader xmlReader = XmlReader.Create(memoryStream))
{
WSTrust13ResponseSerializer serializer = new WSTrust13ResponseSerializer();
WSTrustSerializationContext serializationContext = new WSTrustSerializationContext();
resp = serializer.ReadXml(xmlReader, serializationContext);
}
Fortify Says:
Failure to enable validation when parsing XML gives an attacker the opportunity to supply malicious input.
Most successful attacks begin with a violation of the programmer's assumptions. By accepting an XML document without validating it against a DTD or XML schema, the programmer leaves a door open for attackers to provide unexpected, unreasonable, or malicious input. It is not possible for an XML parser to validate all aspects of a document's content; a parser cannot understand the complete semantics of the data. However, a parser can do a complete and thorough job of checking the document's structure and therefore guarantee to the code that processes the document that the content is well-formed.
What I have tried:
Tried to throw error when TryParsToXML(string) is not parsing.