SonarSource
NET-1918 S2755 FP: Should raise only when a XmlDocument is read
S2755 XmlDocument object can be used to read / create and edit Xml documents.
In this rule we are interested only about reading Xml documents.
var xmlDoc = new XmlDocument(); // FP
xmlDoc.CreateDocumentType("root", null, null, null); // We create a xml document here
Example of FP on peach.
To detect when a xml document is read the solution is to look for load/loadxml methods called on the xml instance. We should still continue to raise the main location on the xml instance and we should add a secondary location on the load/loadxml method.
var xmlDoc = new XmlDocument(); // main location
xmlDoc.Load(xmlfile); // Secondary location
if the object is returned or assigned to a field then we will likely loose it in the flow, so we should raise only if we see the unsecure instance creation and the load in the same function:
public void BuildXmlCache()
this.xmldoc = new XmlDocument(); // Compliant (this.xmldoc.load can be called on another method)
}
public XmlDocument BuildXmlCache()
XmlDocument xmldoc = new XmlDocument(); // Compliant (xmldoc.load can be called on the called function)
return xmldoc;
}
To properly fix this FP, the rule should be converted to use SE. Also the XmlDocument default constructor is safe since .NET 4.5.2 so the rule raises when the XmlResolver is set, and that is not how it is described here. The main location should be at the ObjectCreation.
Additionally the rule raises twice if the XmlResolver is set and the .NET version is < 4.5.2. One issue will be reported at assignment of the property and another one at the object creation.
