Friday, August 26, 2011

WsUtil Compiler tool

WsUtil Compiler tool

The Windows Windows Web Services compiler tool, WsUtil.exe, supports the service model and serialization of data types. It processes WSDL, XML schema and policy documents, and generates C headers and source files. This tool is similar to WSDL compiler tool for managed code but is aimed at native code instead.
To support the service model, WsUtil.exe generates headers to be used for both client and service. It generates C proxy file for the client side, and C stub files for the service side, as needed.
To support serialization, the compiler generates headers for element descriptions for global element definitions, and all the type definition information in the proxy files that is consumed by the serialization engine.
For command line options for processing WSDL files, XML Schema files, and web service policy files, see the following topics:

Security

When you use WsUtil, be aware of the following issues and observe the appropriate precautions:
  • Wsutil does not retrieve XML metadata over the network, and wsutil does not resolve import and/or include statements in the input metadata files. Wsutil opens and reads wsdl, xsd, and policy files. XML metadata is not tamper resistant. Ensure that you only use wsdl, xsd and policy files are acquired from trusted source and make sure to protect the files from tampering before and after using them. Carefully review the contents of the input files and validate that the contents of files are safe for use in the application. Wsutil.exe does not do any verification of authenticity of the metadata files.
  • Wsutil generates header and stub files, which are not tamper resistant. You need to set the correct level access rights on source files generated by wsutil.exe to prevent unauthoritized access to those files. Wsutil uses System.IO.StreamWriter to create the output files.
  • Users need to be aware that Wsutil can overwrite their local files, and they should be careful to specify safe file names and directories for output files using the /out switch.
  • Wsutil or wsutilhelper.dll loaded in wsutil.exe, may terminate unexpectedly or consume large amount of system resources when under attack or in processing a very large amount of input metadata. The tool is designed to be used during development time only This tool should be used as a development time tool only. It may not be safe for use in the middle tier to process policy information.
  • Wsutilhelper.dll helper DLL is loaded into managed wsutil.exe to process policy information. User should make sure no malicious binary with same filename exists in the binary path. Similarly, user should make sure in the build environment, the binary path is setup correctly that there is no malicious binary with same "wsutil.exe" name exists.
  • Wsutil generates SAL annotation for operations and structure fields when possible. User of wsutil generated files should follow the requirement specified through SAL annotation.

No comments:

Post a Comment