We have comments from security team:
For: _vti_bin/copy.asmx
Implications
Processing XML documents can be computationally expensive. Attackers may take advantage of schemas that allow unbounded elements by supplying an application with a very large number elements causing the application to exhaust system resources.
The following is an example of a schema that allows unbounded bar elements.
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" >
<xs:element name="foo" >
<xs:complexType>
<xs:sequence>
<xs:element name="bar" maxOccurs="unbounded" />
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
Recommendations
Limit maxOccurs to a reasonable number.
The following is an example of a schema that allows 50 bar elements.
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" >
<xs:element name="foo" >
<xs:complexType>
<xs:sequence>
<xs:element name="bar" maxOccurs="50" />
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
For: _vti_bin/lists.asmx
Implications
The element means arbitrary tags can be included in a valid document. Permitting arbitrary content makes it easier for attackers to perform attacks like XML injection.
Example 1: Imagine you are using the following schema for validation.
<?xml version="1.0"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:element name="cart" >
<xs:complexType>
<xs:sequence>
<xs:element name="itemID" maxOccurs="1" />
<xs:element name="price" maxOccurs="1" />
<xs:element name="description" maxOccurs="1"/>
<xs:any minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="description" type="xs:string"/>
<xs:element name="name" type="xs:string"/>
<xs:element name="price" type="xs:decimal"/>
<xs:element name="code" type="xs:string"/>
</xs:schema>
Since this schema uses the element, the following XML documentation will be considered valid.
<?xml version=\"1.0\" ?>
<cart>
<itemID>123</itemID>
<price>50.00</price>
<price>1.0</price>
</cart>
This is especially dangerous when using SAX parsers since later nodes will overwrite previous nodes.
Recommendations
Explicitly define permissible elements instead of using the element.
Example 2: In order to fix Example 1, replace the element with a concretely defined element such as .
<?xml version="1.0"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:element name="cart" >
<xs:complexType>
<xs:sequence>
<xs:element name="itemID" maxOccurs="1" />
<xs:element name="price" maxOccurs="1" />
<xs:element name="description" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="description" type="xs:string"/>
<xs:element name="name" type="xs:string"/>
<xs:element name="price" type="xs:decimal"/>
<xs:element name="code" type="xs:string"/>
</xs:schema>
Could we update those 2 files as suggestions from security team?
Related
I have an XSD to validate an XML file. The structure is as follows:
<root>
<child>
<size>2</size>
<childElement>Element 1</childElement>
<childElement>Element 2</childElement>
</child>
</root>
The number of childElements is dependent on the size provided i.e. if size was set as 3, not more than 3 childElements can be added.
I have tried using xs:alternative but it does not seem to work:
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:element name="root">
<xs:complexType>
<xs:sequence>
<xs:element name="child" minOccurs="1" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="size" type="xs:integer" maxOccurs="1"/>
<xs:element name="childElement" type="xs:string" maxOccurs="1">
<xs:alternative test="#size>1" maxOccurs="#size"/>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
Is there a way of using xs:alternative or another tag to achieve this, or is this outside the realm of possibility with XSD?
Design recommendation: If your XML design can still be changed, eliminate the size element and convey that information implicitly rather than explicitly. By eliminating the duplication of information, you'll not need to check that the duplication is consistent.
If your XML design cannot still be changed, or if you choose not to change it...
XSD 1.0
Not possible. Would have to be checked out-of-band wrt XSD.
XSD 1.1
Possible using xs:assert:
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema attributeFormDefault="unqualified"
elementFormDefault="qualified"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:vc="http://www.w3.org/2007/XMLSchema-versioning"
vc:minVersion="1.1">
<xs:element name="root">
<xs:complexType>
<xs:sequence>
<xs:element name="child">
<xs:complexType>
<xs:sequence>
<xs:element name="size" type="xs:integer"/>
<xs:element name="childElement" maxOccurs="unbounded"/>
</xs:sequence>
<xs:assert test="count(childElement) = size"/>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
I want to model a container that has a list of references by id in enterprise architect.
A xsd is generated from that model.
<?xml version="1.0" encoding="utf-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:element name="Container" type="Container"/>
<xs:complexType name="Container">
<xs:sequence>
<xs:element name="Element" type="Element" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:element name="Element" type="Element"/>
<xs:complexType name="Element">
<xs:sequence>
<xs:element name="Identifier" type="xs:ID" minOccurs="1" maxOccurs="1"/>
<xs:element name="Name" type="xs:string" minOccurs="1" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
</xs:schema>
Is it possible to find settings so such that a list of Id is generated?
(Not a list of full instances like it is now)
Here are the settings of the aggregation:
The goal is to have a list of ID in the container generated from the association and have the possibility to generate java code from the xsd that has a list of element, not ID.
<?xml version="1.0" encoding="utf-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:element name="Container" type="Container"/>
<xs:complexType name="Container">
<xs:sequence>
<xs:element name="ElementRef" type="xs:IDREF" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:element name="Element" type="Element"/>
<xs:complexType name="Element">
<xs:sequence>
<xs:element name="Identifier" type="xs:ID" minOccurs="1" maxOccurs="1"/>
<xs:element name="Name" type="xs:string" minOccurs="1" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
</xs:schema>
So, the XSD shall have a list of IDREF, so that the java code generated from that shall have either a list of Identifiers or even better a list of Element.
Edit: added example of target xsd.
I it possible to make a choice scenario, like (A or B or Both). If yes, how can this be done with the following elements?
<xs:element name="a" type="typeA" />
<xs:element name="b" type="typeB" />
Hope you can help.
Regards,
Nima
You can see XSD "one or both" choice construct leads to ambiguous content model
<xs:schema xmlns:xs="...">
<xs:element name="a" type="typeA" />
<xs:element name="b" type="typeB" />
<xs:element name="...">
<xs:complexType>
<xs:sequence>
<xs:choice>
<xs:sequence>
<xs:element ref="a"/>
<xs:element ref="b" minOccurs="0"/>
</xs:sequence>
<xs:element ref="b"/>
</xs:choice>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
If you look at the following xsd fragment you can conclude that the corresponding xml will first contain cars followed by busses eg:
car,car,bus,bus
HOWEVER I want the xml to be able to contain
car,bus,car,bus
What change do I need to make in the xsd below in order to achieve this?
<xs:element name="body">
<xs:complexType>
<xs:sequence>
<xs:element name="session" type="tns:session" />
<xs:element minOccurs="0" maxOccurs="unbounded" name="car" type="tns:car" />
<xs:element minOccurs="0" maxOccurs="unbounded" name="bus" type="tns:bus" />
</xs:sequence>
</xs:complexType>
</xs:element>
It's a bit cumbersome, but you might achieve what you're looking for like this:
create a <xs:choice> element with your car and bus elements inside; this defines that one of the contained elements can be used
make sure to have the attribtues minOccurs=1 and maxOccurs=unbounded on that <xs:choice> - this gives you any number of either car or bus elements - any number, any combination
So your XML schema would look something like this (I added some stuff just to be able to generate a sample XML and verify it works - tweak as needed):
<?xml version="1.0" encoding="utf-8"?>
<xs:schema elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:element name="body">
<xs:complexType>
<xs:choice minOccurs="0" maxOccurs="unbounded">
<xs:element minOccurs="0" maxOccurs="unbounded" name="car" type="CarType" />
<xs:element minOccurs="0" maxOccurs="unbounded" name="bus" type="BusType" />
</xs:choice>
</xs:complexType>
</xs:element>
<xs:complexType name="CarType">
<xs:sequence>
<xs:element name="Maker" type="xs:string" />
</xs:sequence>
</xs:complexType>
<xs:complexType name="BusType">
<xs:sequence>
<xs:element name="Maker" type="xs:string" />
<xs:element name="Capacity" type="xs:int" />
</xs:sequence>
</xs:complexType>
</xs:schema>
use <xs:any> insted of <xs:sequence>
How can i define that the content of the emailaddress-element has to be unquie compared to all other emailaddresses entered inside the users-tag?
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:element name="users">
<xs:sequence>
<xs:element name="user">
<xs:element name="name" type="xs:string" />
<xs:element name="emailaddress" type="xs:string" />
</xs:element>
</xs:sequence>
</xs:element>
I think this is what you are after:
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:element name="users">
<xs:complexType>
<xs:sequence maxOccurs="unbounded">
<xs:element name="user">
<xs:complexType>
<xs:sequence>
<xs:element name="name" type="xs:string"/>
<xs:element name="emailaddress" type="xs:string"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
<!-- Make sure each user has a unique email address -->
<xs:unique name="email-address-is-unique">
<xs:selector xpath="user"/>
<xs:field xpath="emailaddress"/>
</xs:unique>
</xs:element>
</xs:schema>
I also took the liberty of adding omitted elements from your original schema for completeness.
So the xpath attribute of the selector element defines the elements that are being used by the uniqueness constraint, then the field element(s) have xpaths which determine what needs to be unique across the selected elements.
You use the <xs:unique> tag as described here