Merge pull request #6491 from LLLXXXCCC/ca5366

Ca5366

Author: ttorble

docs/code-quality/ca5366.md

@@ -0,0 +1,72 @@
+---
+title: "CA5366: Use XmlReader For DataSet Read XML"
+description: Provides information about code analysis rule CA5366, including causes, how to fix violations, and when to suppress it.
+ms.date: 04/30/2020
+ms.topic: reference
+author: LLLXXXCCC
+ms.author: linche
+manager: jillfra
+ms.workload:
+  - "multiple"
+f1_keywords:
+  - "CA5366"
+---
+# CA5366: Use XmlReader For DataSet Read XML
+
+|||
+|-|-|
+|CheckId|CA5366|
+|Category|Microsoft.Security|
+|Breaking change|Non-breaking|
+
+## Cause
+
+A Document Type Definition (DTD) defines the structure and the legal elements and attributes of an XML document. Referring to a DTD from an external resource could cause potential Denial of Service (DoS) attacks. Most readers cannot disable DTD processing and restrict external references loading except for <xref:System.Xml.XmlReader?displayProperty=nameWithType>. Using these other readers to load XML by one of the following methods triggers this rule:
+- <xref:System.Data.DataSet.ReadXml%2A>
+- <xref:System.Data.DataSet.ReadXmlSchema%2A>
+- <xref:System.Data.DataSet.ReadXmlSerializable%2A>
+
+## Rule description
+
+Using a <xref:System.Data.DataSet?displayProperty=nameWithType> to read XML with untrusted data may load dangerous external references, which should be restricted by using an <xref:System.Xml.XmlReader> with a secure resolver or with DTD processing disabled.
+
+## How to fix violations
+
+Use <xref:System.Xml.XmlReader> or its derived classes to read XML.
+
+## When to suppress warnings
+
+Suppress a warning from this rule when dealing with a trusted data source.
+
+## Pseudo-code examples
+
+### Violation
+
+```csharp
+using System.Data;
+using System.IO;
+
+public class ExampleClass
+{
+    public void ExampleMethod()
+    {
+        new DataSet().ReadXml(new FileStream("xmlFilename", FileMode.Open));
+    }
+}
+```
+
+### Solution
+
+```csharp
+using System.Data;
+using System.IO;
+using System.Xml;
+
+public class ExampleClass
+{
+    public void ExampleMethod()
+    {
+        new DataSet().ReadXml(new XmlTextReader(new FileStream("xmlFilename", FileMode.Open)));
+    }
+}
+```

docs/code-quality/code-analysis-warnings-for-managed-code-by-checkid.md

@@ -541,4 +541,5 @@ The following table lists Code Analysis warnings for managed code by the CheckId
 | CA2246 | [CA2246: Do not assign a symbol and its member in the same statement](../code-quality/ca2246.md) | Assigning a symbol and its member, that is, a field or a property, in the same statement is not recommended. It is not clear if the member access was intended to use the symbol's old value prior to the assignment or the new value from the assignment in this statement. |
 | CA5122 | [CA5122 P/Invoke declarations should not be safe critical](../code-quality/ca5122.md) | Methods are marked as SecuritySafeCritical when they perform a security sensitive operation, but are also safe to be used by transparent code. Transparent code may never directly call native code through a P/Invoke. Therefore, marking a P/Invoke as security safe critical will not enable transparent code to call it, and is misleading for security analysis. |
 | CA5365 | [CA5365 Do Not Disable HTTP Header Checking](../code-quality/ca5365.md) | HTTP header checking enables encoding of the carriage return and newline characters, \r and \n, that are found in response headers. This encoding can help to avoid injection attacks that exploit an application that echoes untrusted data contained by the header. |
+| CA5366 | [CA5366 Use XmlReader For DataSet Read XML](../code-quality/ca5366.md) | Using a <xref:System.Data.DataSet> to read XML with untrusted data may load dangerous external references, which should be restricted by using an <xref:System.Xml.XmlReader> with a secure resolver or with DTD processing disabled. |
 | CA5374 | [CA5374 Do Not Use XslTransform](../code-quality/ca5374.md) | This rule checks if <xref:System.Xml.Xsl.XslTransform?displayProperty=nameWithType> is instantiated in the code. <xref:System.Xml.Xsl.XslTransform?displayProperty=nameWithType> is now obsolete and shouldn’t be used. |

docs/code-quality/security-warnings.md

@@ -104,6 +104,7 @@ Security warnings support safer libraries and applications. These warnings help
 |[CA5363: Do not disable request validation](../code-quality/ca5363.md)|Request validation is a feature in ASP.NET that examines HTTP requests and determines whether they contain potentially dangerous content that can lead to injection attacks, including cross-site-scripting.|
 |[CA5364: Do not use deprecated security protocols](../code-quality/ca5364.md)|Transport Layer Security (TLS) secures communication between computers, most commonly with Hypertext Transfer Protocol Secure (HTTPS). Older protocol versions of TLS are less secure than TLS 1.2 and TLS 1.3 and are more likely to have new vulnerabilities. Avoid older protocol versions to minimize risk.|
 |[CA5365: Do Not Disable HTTP Header Checking](../code-quality/ca5365.md)|HTTP header checking enables encoding of the carriage return and newline characters, \r and \n, that are found in response headers. This encoding can help to avoid injection attacks that exploit an application that echoes untrusted data contained by the header.|
+|[CA5366: Use XmlReader For DataSet Read XML](../code-quality/ca5366.md)|Using a <xref:System.Data.DataSet> to read XML with untrusted data may load dangerous external references, which should be restricted by using an <xref:System.Xml.XmlReader> with a secure resolver or with DTD processing disabled.|
 |[CA5369: Use XmlReader for Deserialize](../code-quality/ca5369.md)|Processing untrusted DTD and XML schemas may enable loading dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD and XML inline schema processing disabled.|
 |[CA5370: Use XmlReader for validating reader](../code-quality/ca5370.md)|Processing untrusted DTD and XML schemas may enable loading dangerous external references. This dangerous loading can be restricted by using an XmlReader with a secure resolver or with DTD and XML inline schema processing disabled.|
 |[CA5371: Use XmlReader for schema read](../code-quality/ca5371.md)|Processing untrusted DTD and XML schemas may enable loading dangerous external references. Using an XmlReader with a secure resolver or with DTD and XML inline schema processing disabled restricts this.|

docs/code-quality/toc.yml

@@ -754,6 +754,8 @@
           href: ca5364.md
         - name: "CA5365: Do Not Disable HTTP Header Checking"
           href: ca5365.md
+        - name: "CA5366: Use XmlReader For DataSet Read XML"
+          href: ca5366.md
         - name: "CA5369: Use XmlReader for Deserialize"
           href: ca5369.md
         - name: "CA5370: Use XmlReader for validating reader"