private void AnalyzeNodeForXmlDocumentDerivedTypeConstructorDecl(SyntaxNodeAnalysisContext context)
{
SyntaxNode node = context.Node;
SemanticModel model = context.SemanticModel;
IMethodSymbol methodSymbol = SyntaxNodeHelper.GetDeclaredSymbol(node, model) as IMethodSymbol;
if (methodSymbol == null ||
methodSymbol.MethodKind != MethodKind.Constructor ||
!((methodSymbol.ContainingType != _xmlTypes.XmlDocument) && methodSymbol.ContainingType.DerivesFrom(_xmlTypes.XmlDocument, baseTypesOnly: true)))
{
return;
}
bool hasSetSecureXmlResolver = false;
IEnumerable <SyntaxNode> assignments = _syntaxNodeHelper.GetDescendantAssignmentExpressionNodes(node);
foreach (SyntaxNode a in assignments)
{
// this is intended to be an assignment, not a bug
if (hasSetSecureXmlResolver = IsAssigningIntendedValueToPropertyDerivedFromType(a,
model,
(s) =>
{
return(SecurityDiagnosticHelpers.IsXmlDocumentXmlResolverProperty(s, _xmlTypes));
},
(n) =>
{
return(SyntaxNodeHelper.NodeHasConstantValueNull(n, model) ||
SecurityDiagnosticHelpers.IsXmlSecureResolverType(model.GetTypeInfo(n).Type, _xmlTypes));
},
out bool isTargetProperty))
{
break;
}
}
if (!hasSetSecureXmlResolver)
{
DiagnosticDescriptor rule = RuleDoNotUseInsecureDtdProcessingInApiDesign;
context.ReportDiagnostic(
CreateDiagnostic(
methodSymbol.Locations,
rule,
SecurityDiagnosticHelpers.GetLocalizableResourceString(
nameof(MicrosoftNetFrameworkAnalyzersResources.XmlDocumentDerivedClassConstructorNoSecureXmlResolverMessage),
SecurityDiagnosticHelpers.GetNonEmptyParentName(node, model)
)
)
);
}
}
// Trying to find every "this.XmlResolver = [Insecure Resolve];" in methods of types derived from XmlDocment and generate a warning for each
private void AnalyzeNodeForXmlDocumentDerivedTypeMethodDecl(SyntaxNodeAnalysisContext context)
{
SyntaxNode node = context.Node;
SemanticModel model = context.SemanticModel;
if (!(SyntaxNodeHelper.GetDeclaredSymbol(node, model) is IMethodSymbol methodSymbol) ||
// skip constructors since we report on the absence of secure assignment in AnalyzeNodeForXmlDocumentDerivedTypeConstructorDecl
methodSymbol.MethodKind == MethodKind.Constructor ||
!((methodSymbol.ContainingType != _xmlTypes.XmlDocument) && methodSymbol.ContainingType.DerivesFrom(_xmlTypes.XmlDocument, baseTypesOnly: true)))
{
return;
}
IEnumerable <SyntaxNode> assignments = _syntaxNodeHelper.GetDescendantAssignmentExpressionNodes(node);
foreach (SyntaxNode assignment in assignments)
{
// this is intended to be an assignment, not a bug
if (IsAssigningIntendedValueToPropertyDerivedFromType(assignment,
model,
(s) =>
{
return(SecurityDiagnosticHelpers.IsXmlDocumentXmlResolverProperty(s, _xmlTypes));
},
(n) =>
{
return(!(SyntaxNodeHelper.NodeHasConstantValueNull(n, model) ||
SecurityDiagnosticHelpers.IsXmlSecureResolverType(model.GetTypeInfo(n).Type, _xmlTypes)));
},
out bool isTargetProperty)
)
{
DiagnosticDescriptor rule = RuleDoNotUseInsecureDtdProcessingInApiDesign;
context.ReportDiagnostic(
CreateDiagnostic(
assignment.GetLocation(),
rule,
SecurityDiagnosticHelpers.GetLocalizableResourceString(
nameof(MicrosoftNetFrameworkAnalyzersResources.XmlDocumentDerivedClassSetInsecureXmlResolverInMethodMessage),
methodSymbol.Name
)
)
);
}
}
}