locked
ReadLine caught in security scan as deserialization of untrusted data RRS feed

  • Question

  • Need help in identifying the issue..

    public static String LoadTextFile(String path)
        {
            StringBuilder sb = new StringBuilder();
            using (StreamReader reader = new FileInfo(path).OpenText())
            {
                try
                {
                    String text = null;
                    do
                    {
                        text = reader.ReadLine();
                        sb.Append(text);
                    } while (text != null);
                }
                catch (Exception ex)
                {
                    throw ex;
                }
    
            }
    
            return sb.ToString();
        }

    Calling Method:


    private MessageConfig LoadConfig()
        {
            string xml = FileUtility.LoadTextFile(Environment.CurrentDirectory + @"\test.config");
            XmlSerializer ser = new XmlSerializer((typeof(MessageConfig )));
            MemoryStream ms = new MemoryStream((new UTF8Encoding()).GetBytes(xml));
            return (MessageConfig )ser.Deserialize(ms);
        }

    Violation Message:

    The serialized object ReadLine processed in LoadTextFile in the file Test\FileUtility.cs at line 13 is deserialized by Deserialize in the file Test\Simulator.cs at line 368

    Though the XmlSerializer deserializing the memory stream to the a predefined type, ReadLine is caught in code scans with above violation. Please suggest any solution..

    Sunday, May 17, 2020 5:54 AM

All replies

  • Hi MLAMHA,
    Based on your description, I have some suggestions you can refer to.
    1.Could you explain your "Violation Message" in detail? And does your "Violation Message" come from Visual Studio or Scans?
    2.You can try to use Application.StartupPath instead of Environment.CurrentDirectory.

    string xml = File.ReadAllText(Path.Combine(Application.StartupPath, "test.config"); 

    Best Regards,
    Daniel Zhang


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Thursday, May 28, 2020 7:48 AM