Remove XmlTextReader from sample solutions in CA3075

dotpaul · dotpaul · commit d7a6a5429f84 · 2019-03-15T17:22:51.000-07:00
diff --git a/docs/code-quality/ca3075-insecure-dtd-processing.md b/docs/code-quality/ca3075-insecure-dtd-processing.md
@@ -24,7 +24,7 @@ If you use insecure <xref:System.Xml.XmlReaderSettings.DtdProcessing%2A> instanc
 
 ## Rule description
 
-A *Document Type Definition (DTD)* is one of two ways an XML parser can determine the validity of a document, as defined by the  [World Wide Web Consortium (W3C) Extensible Markup Language (XML) 1.0](http://www.w3.org/TR/2008/REC-xml-20081126/). This rule seeks properties and instances where untrusted data is accepted to warn developers about potential [Information Disclosure](/dotnet/framework/wcf/feature-details/information-disclosure) threats, which may lead to [Denial of Service (DoS)](/dotnet/framework/wcf/feature-details/denial-of-service) attacks. This rule triggers when:
+A *Document Type Definition (DTD)* is one of two ways an XML parser can determine the validity of a document, as defined by the  [World Wide Web Consortium (W3C) Extensible Markup Language (XML) 1.0](http://www.w3.org/TR/2008/REC-xml-20081126/). This rule seeks properties and instances where untrusted data is accepted to warn developers about potential [Information Disclosure](/dotnet/framework/wcf/feature-details/information-disclosure) threats, or which may lead to [Denial of Service (DoS)](/dotnet/framework/wcf/feature-details/denial-of-service) attacks. This rule triggers when:
 
 - DtdProcessing is enabled on the <xref:System.Xml.XmlReader> instance, which resolves external XML entities using <xref:System.Xml.XmlUrlResolver>.
 
@@ -44,7 +44,7 @@ In each of these cases, the outcome is the same: the contents from either the fi
 
 - Catch and process all XmlTextReader exceptions properly to avoid path information disclosure    .
 
-- Use the <xref:System.Xml.XmlSecureResolver> to restrict the resources      that the XmlTextReader can access.
+- Use the <xref:System.Xml.XmlSecureResolver> to restrict the resources that the XmlTextReader can access.
 
 - Do not allow the <xref:System.Xml.XmlReader> to open any external resources by setting the <xref:System.Xml.XmlResolver> property to **null**.
 
@@ -198,7 +198,7 @@ public static void TestMethod(string xml)
 {
     XmlDocument doc = new XmlDocument() { XmlResolver = null };
     System.IO.StringReader sreader = new System.IO.StringReader(xml);
-    XmlTextReader reader = new XmlTextReader(sreader) { DtdProcessing = DtdProcessing.Prohibit };
+    XmlReader reader = XmlReader.Create(sreader, new XmlReaderSettings() { XmlResolver = null });
     doc.Load(reader);
 }
 ```
@@ -237,7 +237,7 @@ namespace TestNamespace
         public void TestMethod(Stream stream)
         {
             XmlSerializer serializer = new XmlSerializer(typeof(UseXmlReaderForDeserialize));
-            XmlTextReader reader = new XmlTextReader(stream) { DtdProcessing = DtdProcessing.Prohibit } ;
+            XmlReader reader = XmlReader.Create(stream, new XmlReaderSettings() { XmlResolver = null });
             serializer.Deserialize(reader );
         }
     }
@@ -274,7 +274,7 @@ namespace TestNamespace
     {
         public void TestMethod(string path)
         {
-            XmlTextReader reader = new XmlTextReader(path) { DtdProcessing = DtdProcessing.Prohibit };
+            XmlReader reader = XmlReader.Create(path, new XmlReaderSettings() { XmlResolver = null });
             XPathDocument doc = new XPathDocument(reader);
         }
     }
@@ -314,22 +314,6 @@ namespace TestNamespace
 ```csharp
 using System.Xml;
 
-namespace TestNamespace
-{
-    public class TestClass
-    {
-        public void TestMethod(string path)
-        {
-            XmlReaderSettings settings = new XmlReaderSettings(){ DtdProcessing = DtdProcessing.Parse };
-            XmlReader reader = XmlReader.Create(path, settings); // warn
-        }
-    }
-}
-```
-
-```csharp
-using System.Xml;
-
 namespace TestNamespace
 {
     class TestClass
@@ -372,7 +356,7 @@ namespace TestNamespace
     {
         public void TestMethod(string path)
         {
-            XmlReaderSettings settings = new XmlReaderSettings(){ DtdProcessing = DtdProcessing.Prohibit };
+            XmlReaderSettings settings = new XmlReaderSettings() { XmlResolver = null };
             XmlReader reader = XmlReader.Create(path, settings);
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,7 @@ If you use insecure <xref:System.Xml.XmlReaderSettings.DtdProcessing%2A> instanc`
`24`	`24`
`25`	`25`	`## Rule description`
`26`	`26`
`27`		-A Document Type Definition (DTD) is one of two ways an XML parser can determine the validity of a document, as defined by the [World Wide Web Consortium (W3C) Extensible Markup Language (XML) 1.0](http://www.w3.org/TR/2008/REC-xml-20081126/). This rule seeks properties and instances where untrusted data is accepted to warn developers about potential [Information Disclosure](/dotnet/framework/wcf/feature-details/information-disclosure) threats, which may lead to [Denial of Service (DoS)](/dotnet/framework/wcf/feature-details/denial-of-service) attacks. This rule triggers when:
	`27`	+A Document Type Definition (DTD) is one of two ways an XML parser can determine the validity of a document, as defined by the [World Wide Web Consortium (W3C) Extensible Markup Language (XML) 1.0](http://www.w3.org/TR/2008/REC-xml-20081126/). This rule seeks properties and instances where untrusted data is accepted to warn developers about potential [Information Disclosure](/dotnet/framework/wcf/feature-details/information-disclosure) threats, or which may lead to [Denial of Service (DoS)](/dotnet/framework/wcf/feature-details/denial-of-service) attacks. This rule triggers when:
`28`	`28`
`29`	`29`	`- DtdProcessing is enabled on the <xref:System.Xml.XmlReader> instance, which resolves external XML entities using <xref:System.Xml.XmlUrlResolver>.`
`30`	`30`
`@@ -44,7 +44,7 @@ In each of these cases, the outcome is the same: the contents from either the fi`
`44`	`44`
`45`	`45`	`- Catch and process all XmlTextReader exceptions properly to avoid path information disclosure .`
`46`	`46`
`47`		`-- Use the <xref:System.Xml.XmlSecureResolver> to restrict the resources that the XmlTextReader can access.`
	`47`	`+- Use the <xref:System.Xml.XmlSecureResolver> to restrict the resources that the XmlTextReader can access.`
`48`	`48`
`49`	`49`	`- Do not allow the <xref:System.Xml.XmlReader> to open any external resources by setting the <xref:System.Xml.XmlResolver> property to null.`
`50`	`50`
`@@ -198,7 +198,7 @@ public static void TestMethod(string xml)`
`198`	`198`	`{`
`199`	`199`	`XmlDocument doc = new XmlDocument() { XmlResolver = null };`
`200`	`200`	`System.IO.StringReader sreader = new System.IO.StringReader(xml);`
`201`		`- XmlTextReader reader = new XmlTextReader(sreader) { DtdProcessing = DtdProcessing.Prohibit };`
	`201`	`+ XmlReader reader = XmlReader.Create(sreader, new XmlReaderSettings() { XmlResolver = null });`
`202`	`202`	`doc.Load(reader);`
`203`	`203`	`}`
`204`	`204`	```
`@@ -237,7 +237,7 @@ namespace TestNamespace`
`237`	`237`	`public void TestMethod(Stream stream)`
`238`	`238`	`{`
`239`	`239`	`XmlSerializer serializer = new XmlSerializer(typeof(UseXmlReaderForDeserialize));`
`240`		`- XmlTextReader reader = new XmlTextReader(stream) { DtdProcessing = DtdProcessing.Prohibit } ;`
	`240`	`+ XmlReader reader = XmlReader.Create(stream, new XmlReaderSettings() { XmlResolver = null });`
`241`	`241`	`serializer.Deserialize(reader );`
`242`	`242`	`}`
`243`	`243`	`}`
`@@ -274,7 +274,7 @@ namespace TestNamespace`
`274`	`274`	`{`
`275`	`275`	`public void TestMethod(string path)`
`276`	`276`	`{`
`277`		`- XmlTextReader reader = new XmlTextReader(path) { DtdProcessing = DtdProcessing.Prohibit };`
	`277`	`+ XmlReader reader = XmlReader.Create(path, new XmlReaderSettings() { XmlResolver = null });`
`278`	`278`	`XPathDocument doc = new XPathDocument(reader);`
`279`	`279`	`}`
`280`	`280`	`}`
`@@ -314,22 +314,6 @@ namespace TestNamespace`
`314`	`314`	```csharp
`315`	`315`	`using System.Xml;`
`316`	`316`
`317`		`-namespace TestNamespace`
`318`		`-{`
`319`		`- public class TestClass`
`320`		`- {`
`321`		`- public void TestMethod(string path)`
`322`		`- {`
`323`		`- XmlReaderSettings settings = new XmlReaderSettings(){ DtdProcessing = DtdProcessing.Parse };`
`324`		`- XmlReader reader = XmlReader.Create(path, settings); // warn`
`325`		`- }`
`326`		`- }`
`327`		`-}`
`328`		-```
`329`		`-`
`330`		-```csharp
`331`		`-using System.Xml;`
`332`		`-`
`333`	`317`	`namespace TestNamespace`
`334`	`318`	`{`
`335`	`319`	`class TestClass`
`@@ -372,7 +356,7 @@ namespace TestNamespace`
`372`	`356`	`{`
`373`	`357`	`public void TestMethod(string path)`
`374`	`358`	`{`
`375`		`- XmlReaderSettings settings = new XmlReaderSettings(){ DtdProcessing = DtdProcessing.Prohibit };`
	`359`	`+ XmlReaderSettings settings = new XmlReaderSettings() { XmlResolver = null };`
`376`	`360`	`XmlReader reader = XmlReader.Create(path, settings);`
`377`	`361`	`}`
`378`	`362`	`}`