checkSecurityXml
Checks if XML files are accessed securely. Insecure deserialization results in code execution. Specifically for XML this can result in DoS (Denial of Service) attacks when allowing the use of DOCTYPE declarations. This is well documented here.
Since MATLAB R2019b, you can prevent reading XML files that contain
DOCTYPE declarations by setting the 'AllowDoctype'
name-value pair of
the xmlread
function to false. This check will report a violation if
the xmlread
function is used without setting AllowDocType
to
false
. For more information, see the xmlread
reference page.
Since MATLAB R2021a, you can read XML files using the
matlab.io.xml.dom.Parser
class. By default, the AllowDoctype
property of the parser's Configuration
property is set to false
.
Therefore, this check reports a violation if the property is explicitly
set to true
, and not if the property is not set at all.
Exemption tag: %@ok<SCXML>