I am using the C# XmlSerializer to deserialize some XML that has an xmlns declaration in one part of it (note that I truncated the CipherValue to fit this post):
<EncryptedData
Id="ZbjUzHbD37LI2DEuiEGX6A7PSnQ+19dutLPiDxZqnFY=3NLz2QA5KCiXVlJSXejhDQ=="
Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc#"
length="44">
<EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
<CipherData>
<CipherValue>3NLz2QA5KCiXVlJSXejhDZYYa9sLbv/w42....+PsLMCfRFN//StgbYoRqno3WQ==</CipherValue>
</CipherData>
</EncryptedData>
With this XML loaded into Visual Studio, VS highlights the "+" character in the Id attribute, and the existence of the length attribute as being errors. I assume that the only way that VS could know this, is if it went and examined the URLs in the Type and xmlns attributes. VS making this type of Internet request is sort of OK to me, as I have given VS permission to do things like check for updates etc, so I already know that it will be visiting the Internet on its own terms.
However, the above XML doesn't deserialize in my command line program unless I remove the xmlns (or force a blank namespace via a custom XML Text Reader), so I am assuming that my command line program is also verifying the xmlns by visiting that URL.
This is slightly troubling to me, as although I understand what an xmlns URL is, I haven't explicitly given my program permission to go visit the Internet. In addition, the use case of this program is run locally and analyze some XML generated by another local only program. The idea that it could be making Internet requests was way off my radar.
As well as deserializing this XML, I am also doing some XSLT using the c# XslCompiledTransform class. What I finally realized there was that when performing a transform, the xmlns attribute is not something that you can manipulate with XSLT as the transforms are performed on the conceptual data of the XML and not on the raw XML string. Thus the transform has somehow processed the xmlns when reading the XML.
My questions are:
- Is the XmlSerializer class making an implicit Internet connection to the xmlns?
- Is the XslCompiledTransform class doing something similar?
- If there are implicit connections, do they represent a security risk?
- And if so, what can be done to mitigate it (aside from forcing a blank namespace)?
As per @canton's request, here is the class definition I'm using for the EncryptedData, as well as the fragment showing where it is referenced
...
[XmlElement("EncryptedData")]
public EncryptedData EncryptedData { get; set; }
...
public class EncryptedData
{
[XmlAttribute("Id")]
public string Id { get; set; }
[XmlAttribute("Type")]
public string Type { get; set; }
[XmlAttribute("xmlns")]
public string Xmlns { get; set; }
[XmlAttribute("length")]
public int Length { get; set; }
[XmlElement("EncryptionMethod")]
public EncryptionMethod EncryptionMethod { get; set; }
[XmlElement("CipherData")]
public CipherData CipherData { get; set; }
}