private void AnalyzeNodeForXmlTextReaderDerivedTypeConstructorDecl(SyntaxNodeAnalysisContext context)
{
SyntaxNode node = context.Node;
SemanticModel model = context.SemanticModel;
if (!(SyntaxNodeHelper.GetDeclaredSymbol(node, model) is IMethodSymbol methodSymbol) ||
methodSymbol.MethodKind != MethodKind.Constructor ||
!((!Equals(methodSymbol.ContainingType, _xmlTypes.XmlTextReader)) && methodSymbol.ContainingType.DerivesFrom(_xmlTypes.XmlTextReader, baseTypesOnly: true)))
{
return;
}
bool hasSetSecureXmlResolver = false;
bool isDtdProcessingDisabled = false;
IEnumerable <SyntaxNode> assignments = _syntaxNodeHelper.GetDescendantAssignmentExpressionNodes(node);
foreach (SyntaxNode assignment in assignments)
{
bool isTargetProperty = false;
hasSetSecureXmlResolver = hasSetSecureXmlResolver || IsAssigningIntendedValueToPropertyDerivedFromType(assignment,
model,
(s) =>
{
return(SecurityDiagnosticHelpers.IsXmlTextReaderXmlResolverProperty(s, _xmlTypes));
},
(n) =>
{
return(SyntaxNodeHelper.NodeHasConstantValueNull(n, model) ||
SecurityDiagnosticHelpers.IsXmlSecureResolverType(model.GetTypeInfo(n).Type, _xmlTypes));
},
out isTargetProperty);
if (isTargetProperty)
{
continue;
}
isDtdProcessingDisabled = isDtdProcessingDisabled || IsAssigningIntendedValueToPropertyDerivedFromType(assignment,
model,
(s) =>
{
return(SecurityDiagnosticHelpers.IsXmlTextReaderDtdProcessingProperty(s, _xmlTypes));
},
(n) =>
{
return(!SyntaxNodeHelper.GetSymbol(n, model).MatchFieldByName(_xmlTypes.DtdProcessing, SecurityMemberNames.Parse));
},
out isTargetProperty);
if (hasSetSecureXmlResolver && isDtdProcessingDisabled)
{
return;
}
}
DiagnosticDescriptor rule = RuleDoNotUseInsecureDtdProcessingInApiDesign;
context.ReportDiagnostic(
CreateDiagnostic(
methodSymbol.Locations,
rule,
SecurityDiagnosticHelpers.GetLocalizableResourceString(
nameof(MicrosoftNetFrameworkAnalyzersResources.XmlTextReaderDerivedClassConstructorNoSecureSettingsMessage),
SecurityDiagnosticHelpers.GetNonEmptyParentName(node, model, context.CancellationToken)
)
)
);
}
private void AnalyzeMethodOverloads(OperationAnalysisContext context, IMethodSymbol method, ImmutableArray <IArgumentOperation> arguments, SyntaxNode expressionSyntax)
{
if (method.MatchMethodDerivedByName(_xmlTypes.XmlDocument, SecurityMemberNames.Load) || //FxCop CA3056
method.MatchMethodDerivedByName(_xmlTypes.XmlDocument, SecurityMemberNames.LoadXml) || //FxCop CA3057
method.MatchMethodDerivedByName(_xmlTypes.XPathDocument, WellKnownMemberNames.InstanceConstructorName) || //FxCop CA3059
method.MatchMethodDerivedByName(_xmlTypes.XmlSchema, SecurityMemberNames.Read) || //FxCop CA3060
method.MatchMethodDerivedByName(_xmlTypes.DataSet, SecurityMemberNames.ReadXml) || //FxCop CA3063
method.MatchMethodDerivedByName(_xmlTypes.DataSet, SecurityMemberNames.ReadXmlSchema) || //FxCop CA3064
method.MatchMethodDerivedByName(_xmlTypes.XmlSerializer, SecurityMemberNames.Deserialize) || //FxCop CA3070
method.MatchMethodDerivedByName(_xmlTypes.DataTable, SecurityMemberNames.ReadXml) || //FxCop CA3071
method.MatchMethodDerivedByName(_xmlTypes.DataTable, SecurityMemberNames.ReadXmlSchema)) //FxCop CA3072
{
if (SecurityDiagnosticHelpers.HasXmlReaderParameter(method, _xmlTypes) < 0)
{
DiagnosticDescriptor rule = RuleDoNotUseInsecureDtdProcessing;
context.ReportDiagnostic(
Diagnostic.Create(
rule,
expressionSyntax.GetLocation(),
SecurityDiagnosticHelpers.GetLocalizableResourceString(
nameof(MicrosoftNetFrameworkAnalyzersResources.DoNotUseDtdProcessingOverloadsMessage),
method.Name
)
)
);
}
}
else if (method.MatchMethodDerivedByName(_xmlTypes.XmlReader, SecurityMemberNames.Create))
{
int xmlReaderSettingsIndex = SecurityDiagnosticHelpers.GetXmlReaderSettingsParameterIndex(method, _xmlTypes);
if (xmlReaderSettingsIndex < 0)
{
if (method.Parameters.Length == 1 &&
method.Parameters[0].RefKind == RefKind.None &&
method.Parameters[0].Type.SpecialType == SpecialType.System_String)
{
// inputUri can load be a URL. Should further investigate if this is worth flagging.
Diagnostic diag = Diagnostic.Create(
RuleDoNotUseInsecureDtdProcessing,
expressionSyntax.GetLocation(),
SecurityDiagnosticHelpers.GetLocalizableResourceString(
nameof(MicrosoftNetFrameworkAnalyzersResources.XmlReaderCreateWrongOverloadMessage)
)
);
context.ReportDiagnostic(diag);
}
// If no XmlReaderSettings are passed, then the default
// XmlReaderSettings are used, with DtdProcessing set to Prohibit.
}
else if (arguments.Length > xmlReaderSettingsIndex)
{
IArgumentOperation arg = arguments[xmlReaderSettingsIndex];
ISymbol settingsSymbol = arg.GetReferencedMemberOrLocalOrParameter();
if (settingsSymbol == null)
{
return;
}
// If we have no XmlReaderSettingsEnvironment, then we don't know.
if (_xmlReaderSettingsEnvironments.TryGetValue(settingsSymbol, out XmlReaderSettingsEnvironment env) &&
!env.IsDtdProcessingDisabled &&
!(env.IsSecureResolver && env.IsMaxCharactersFromEntitiesLimited))
{
Diagnostic diag;
if (env.IsConstructedInCodeBlock)
{
diag = Diagnostic.Create(
RuleDoNotUseInsecureDtdProcessing,
expressionSyntax.GetLocation(),
SecurityDiagnosticHelpers.GetLocalizableResourceString(
nameof(MicrosoftNetFrameworkAnalyzersResources.XmlReaderCreateInsecureConstructedMessage)
)
);
}
else
{
diag = Diagnostic.Create(
RuleDoNotUseInsecureDtdProcessing,
expressionSyntax.GetLocation(),
SecurityDiagnosticHelpers.GetLocalizableResourceString(
nameof(MicrosoftNetFrameworkAnalyzersResources.XmlReaderCreateInsecureInputMessage)
)
);
}
context.ReportDiagnostic(diag);
}
}
}
}
private void AnalyzeNodeForXslCompiledTransformLoad(SyntaxNodeAnalysisContext context)
{
SyntaxNode node = context.Node;
SemanticModel model = context.SemanticModel;
IMethodSymbol methodSymbol = _syntaxNodeHelper.GetCalleeMethodSymbol(node, model);
if (SecurityDiagnosticHelpers.IsXslCompiledTransformLoad(methodSymbol, _xmlTypes))
{
bool isSecureResolver;
bool isSecureSettings;
bool isSetInBlock;
int xmlResolverIndex = SecurityDiagnosticHelpers.GetXmlResolverParameterIndex(methodSymbol, _xmlTypes);
int xsltSettingsIndex = SecurityDiagnosticHelpers.GetXsltSettingsParameterIndex(methodSymbol, _xmlTypes);
// Overloads with no XmlResolver and XstlSettings specified are secure since they all have folowing behavior:
// 1. An XmlUrlResolver with no user credentials is used to process any xsl:import or xsl:include elements.
// 2. The document() function is disabled.
// 3. Embedded scripts are not supported.
if (xmlResolverIndex >= 0 &&
xsltSettingsIndex >= 0)
{
IEnumerable <SyntaxNode> argumentExpressionNodes = _syntaxNodeHelper.GetInvocationArgumentExpressionNodes(node);
SyntaxNode resolverNode = argumentExpressionNodes.ElementAt(xmlResolverIndex);
isSecureResolver = SyntaxNodeHelper.NodeHasConstantValueNull(resolverNode, model) ||
SecurityDiagnosticHelpers.IsXmlSecureResolverType(model.GetTypeInfo(resolverNode).Type, _xmlTypes);
SyntaxNode settingsNode = argumentExpressionNodes.ElementAt(xsltSettingsIndex);
ISymbol settingsSymbol = SyntaxNodeHelper.GetSymbol(settingsNode, model);
// 1. pass null or XsltSettings.Default as XsltSetting : secure
if (settingsSymbol == null || SecurityDiagnosticHelpers.IsXsltSettingsDefaultProperty(settingsSymbol as IPropertySymbol, _xmlTypes))
{
isSetInBlock = true;
isSecureSettings = true;
}
// 2. XsltSettings.TrustedXslt : insecure
else if (SecurityDiagnosticHelpers.IsXsltSettingsTrustedXsltProperty(settingsSymbol as IPropertySymbol, _xmlTypes))
{
isSetInBlock = true;
isSecureSettings = false;
}
// 3. check xsltSettingsEnvironments, if IsScriptDisabled && IsDocumentFunctionDisabled then secure, else insecure
else if (_xsltSettingsEnvironments.TryGetValue(settingsSymbol, out XsltSettingsEnvironment env))
{
isSetInBlock = false;
isSecureSettings = env.IsDocumentFunctionDisabled && env.IsScriptDisabled;
}
//4. symbol for settings is not found => passed in without any change => assume insecure
else
{
isSetInBlock = true;
isSecureSettings = false;
}
if (!isSecureSettings && !isSecureResolver)
{
LocalizableResourceString message = SecurityDiagnosticHelpers.GetLocalizableResourceString(
isSetInBlock ? nameof(MicrosoftNetFrameworkAnalyzersResources.XslCompiledTransformLoadInsecureConstructedMessage) :
nameof(MicrosoftNetFrameworkAnalyzersResources.XslCompiledTransformLoadInsecureInputMessage),
SecurityDiagnosticHelpers.GetNonEmptyParentName(node, model, context.CancellationToken)
);
context.ReportDiagnostic(
node.CreateDiagnostic(RuleDoNotUseInsecureXSLTScriptExecution, message)
);
}
}
}
}
private void AnalyzeNodeForXmlTextReaderDerivedTypeMethodDecl(SyntaxNodeAnalysisContext context)
{
SyntaxNode node = context.Node;
SemanticModel model = context.SemanticModel;
IMethodSymbol methodSymbol = SyntaxNodeHelper.GetDeclaredSymbol(node, model) as IMethodSymbol;
if (methodSymbol == null ||
!((methodSymbol.ContainingType != _xmlTypes.XmlTextReader) && methodSymbol.ContainingType.DerivesFrom(_xmlTypes.XmlTextReader, baseTypesOnly: true)))
{
return;
}
// If the default value are not secure, the AnalyzeNodeForXmlTextReaderDerivedTypeConstructorDecl would be skipped,
// therefoer we need to check constructor for any insecure settings.
// Otherwise, we skip checking constructors
if (_isFrameworkSecure && methodSymbol.MethodKind == MethodKind.Constructor)
{
return;
}
bool hasSetXmlResolver = false;
bool hasSetInsecureXmlResolver = true;
bool isDtdProcessingSet = false;
bool isDtdProcessingEnabled = true;
List <Location> locs = null;
Location insecureXmlResolverAssignLoc = null;
Location issecureDtdProcessingLoc = null;
IEnumerable <SyntaxNode> assignments = _syntaxNodeHelper.GetDescendantAssignmentExpressionNodes(node);
foreach (SyntaxNode assignment in assignments)
{
bool ret;
ret = IsAssigningIntendedValueToPropertyDerivedFromType(assignment,
model,
(s) =>
{
return(SecurityDiagnosticHelpers.IsXmlTextReaderXmlResolverProperty(s, _xmlTypes));
},
(n) =>
{
return(!(SyntaxNodeHelper.NodeHasConstantValueNull(n, model) ||
SecurityDiagnosticHelpers.IsXmlSecureResolverType(model.GetTypeInfo(n).Type, _xmlTypes)));
},
out bool isTargetProperty
);
if (isTargetProperty)
{
hasSetXmlResolver = true;
hasSetInsecureXmlResolver &= ret; // use 'AND' to avoid false positives (but imcrease false negative rate)
if (ret)
{
if (locs == null)
{
locs = new List <Location>();
}
locs.Add(assignment.GetLocation());
}
continue;
}
ret = IsAssigningIntendedValueToPropertyDerivedFromType(assignment,
model,
(s) =>
{
return(SecurityDiagnosticHelpers.IsXmlTextReaderDtdProcessingProperty(s, _xmlTypes));
},
(n) =>
{
return(SyntaxNodeHelper.GetSymbol(n, model).MatchFieldByName(_xmlTypes.DtdProcessing, SecurityMemberNames.Parse));
},
out isTargetProperty);
if (isTargetProperty)
{
isDtdProcessingSet = true;
isDtdProcessingEnabled &= ret; // use 'AND' to avoid false positives (but imcrease false negative rate)
if (ret)
{
if (locs == null)
{
locs = new List <Location>();
}
locs.Add(assignment.GetLocation());
}
}
}
// neither XmlResolver nor DtdProcessing is explicitly set
if (!(hasSetXmlResolver || isDtdProcessingSet))
{
return;
}
// explicitly set XmlResolver and/or DtdProcessing to secure value
else if (!hasSetInsecureXmlResolver || !isDtdProcessingEnabled)
{
return;
}
// didn't explicitly set either one of XmlResolver and DtdProcessing to secure value
// but explicitly set XmlResolver and/or DtdProcessing to insecure value
else
{
if (insecureXmlResolverAssignLoc != null)
{
locs.Add(insecureXmlResolverAssignLoc);
}
if (issecureDtdProcessingLoc != null)
{
locs.Add(issecureDtdProcessingLoc);
}
DiagnosticDescriptor rule = RuleDoNotUseInsecureDtdProcessingInApiDesign;
// TODO: Only first location is shown in error, maybe we want to report on method instead?
// Or on each insecure assignment?
context.ReportDiagnostic(
CreateDiagnostic(
locs,
rule,
SecurityDiagnosticHelpers.GetLocalizableResourceString(
nameof(MicrosoftNetFrameworkAnalyzersResources.XmlTextReaderDerivedClassSetInsecureSettingsInMethodMessage),
methodSymbol.Name
)
)
);
}
}
private void AnalyzeObjectCreationForXmlDocument(OperationAnalysisContext context, ISymbol variable, IObjectCreationOperation objCreation)
{
if (variable == null || !_xmlDocumentEnvironments.TryGetValue(variable, out var xmlDocumentEnvironment))
{
xmlDocumentEnvironment = new XmlDocumentEnvironment
{
IsSecureResolver = false,
IsXmlResolverSet = false
};
}
xmlDocumentEnvironment.XmlDocumentDefinition = objCreation.Syntax;
SyntaxNode node = objCreation.Syntax;
bool isXmlDocumentSecureResolver = false;
if (objCreation.Constructor.ContainingType != _xmlTypes.XmlDocument)
{
isXmlDocumentSecureResolver = true;
}
// propertyInitlizer is not returned any more
// and no way to get propertysymbol
if (objCreation.Initializer != null)
{
foreach (IOperation init in objCreation.Initializer.Initializers)
{
if (init is IAssignmentOperation assign)
{
var propValue = assign.Value;
if (!(context.Compilation.GetSemanticModel(context.Operation.Syntax.SyntaxTree)?.GetSymbolInfo(assign.Target.Syntax).Symbol is IPropertySymbol prop))
{
continue;
}
if (prop.MatchPropertyDerivedByName(_xmlTypes.XmlDocument, "XmlResolver"))
{
if (!(propValue is IConversionOperation operation))
{
return;
}
if (SecurityDiagnosticHelpers.IsXmlSecureResolverType(operation.Operand.Type, _xmlTypes))
{
isXmlDocumentSecureResolver = true;
}
else if (SecurityDiagnosticHelpers.IsExpressionEqualsNull(operation.Operand))
{
isXmlDocumentSecureResolver = true;
}
else // Non secure resolvers
{
return;
}
}
}
}
}
xmlDocumentEnvironment.IsSecureResolver = isXmlDocumentSecureResolver;
if (variable != null)
{
_xmlDocumentEnvironments[variable] = xmlDocumentEnvironment;
}
else if (!xmlDocumentEnvironment.IsSecureResolver) // Insecure temp object
{
Diagnostic diag = Diagnostic.Create(
RuleDoNotUseInsecureDtdProcessing,
node.GetLocation(),
SecurityDiagnosticHelpers.GetLocalizableResourceString(
nameof(MicrosoftNetFrameworkAnalyzersResources.XmlDocumentWithNoSecureResolverMessage)
)
);
context.ReportDiagnostic(diag);
}
}