Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://docs.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/ca2351 below:

CA2351: Ensure DataSet.ReadXml()'s input is trusted (code analysis) - .NET

The DataSet.ReadXml method was called or referenced, and not within autogenerated code.

This rule classifies autogenerated code b:

• Being inside a method named ReadXmlSerializable.
• The ReadXmlSerializable method has a System.Diagnostics.DebuggerNonUserCodeAttribute.
• The ReadXmlSerializable method is within a type that has a System.ComponentModel.DesignerCategoryAttribute.

CA2361 is a similar rule, for when DataSet.ReadXml appears within autogenerated code.

When deserializing a DataSet with untrusted input, an attacker can craft malicious input to perform a denial of service attack. There may be unknown remote code execution vulnerabilities.

For more information, see DataSet and DataTable security guidance.

• If possible, use Entity Framework rather than the DataSet.
• Make the serialized data tamper-proof. After serialization, cryptographically sign the serialized data. Before deserialization, validate the cryptographic signature. Protect the cryptographic key from being disclosed and design for key rotations.

It's safe to suppress a warning from this rule if:

• You know the input is trusted. Consider that your application's trust boundary and data flows may change over time.
• You've taken one of the precautions in How to fix violations.

If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.

#pragma warning disable CA2351
// The code that's violating the rule is on this line.
#pragma warning restore CA2351

To disable the rule for a file, folder, or project, set its severity to none in the configuration file.

[*.{cs,vb}]
dotnet_diagnostic.CA2351.severity = none

For more information, see How to suppress code analysis warnings.

using System.Data;

public class ExampleClass
{
    public DataSet MyDeserialize(string untrustedXml)
    {
        DataSet dt = new DataSet();
        dt.ReadXml(untrustedXml);
    }
}

CA2350: Ensure DataTable.ReadXml()'s input is trusted

CA2352: Unsafe DataSet or DataTable in serializable type can be vulnerable to remote code execution attacks

CA2353: Unsafe DataSet or DataTable in serializable type

CA2354: Unsafe DataSet or DataTable in deserialized object graph can be vulnerable to remote code execution attack

CA2355: Unsafe DataSet or DataTable in deserialized object graph

CA2356: Unsafe DataSet or DataTable in web deserialized object graph

CA2361: Ensure autogenerated class containing DataSet.ReadXml() is not used with untrusted data

CA2362: Unsafe DataSet or DataTable in autogenerated serializable type can be vulnerable to remote code execution attacks

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4