Fortify Command Injection fix

Question

Fortify show me a Command Injection on the below code

    XmlSerializer serializer = new XmlSerializer(typeof(T));
    TextReader read = new StringReader(s);

    System.Xml.XmlReaderSettings settings = new System.Xml.XmlReaderSettings();
    settings.DtdProcessing = System.Xml.DtdProcessing.Prohibit;
    settings.MaxCharactersFromEntities = 100;
    System.Xml.XmlReader reader = System.Xml.XmlTextReader.Create(read, settings);
    return (T)serializer.Deserialize(reader); //bad code

shows the vulnerability in the following line

return (T)serializer.Deserialize(reader); //bad code

How can I resolve this situation ?

Note : it doesn't give any error it says this line of code is suspicious

it doesn't give any error it says this line of code is suspicious — Jesse, Jan 28 '22 at 12:43
https://vulncat.fortify.com/en/detail?id=desc.configuration.java.dynamic_code_evaluation_unsafe_deserialization — Mads Hansen, Jan 28 '22 at 13:09

score 2 · Answer 1 · answered Jan 28 '22 at 13:15

This is a code style warning. There is no type checking or error handling around that line of code, most linters would pick up explicit casts as warnings by default because it is suspicious.

In your business process you might have justified reason to assume that the type will always cast to T or you might fully expect to catch the exception higer up, but in general explicit casts that are not wrapped with exception handling or challenged by type checking are indicators of lazy programming where you are brute forcing a conversion.

It is up to you how to proceed of course, but be aware of the risk that this line of code will result in a runtime error.

V580. Suspicious explicit type casting. Consider inspecting the expression.

Fortify Command Injection fix

1 Answers1