19
var xDoc = XDocument.Load(fileName);

I am using above code in a function to load an XML file. Functionality wise its working fine but it is showing following Veracode Flaw after Veracode check.

Description

The product processes an XML document that can contain XML entities with URLs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. By default, the XML entity resolver will attempt to resolve and retrieve external references. If attacker-controlled XML can be submitted to one of these functions, then the attacker could gain access to information about an internal network, local filesystem, or other sensitive data. This is known as an XML eXternal Entity (XXE) attack.

Recommendations

Configure the XML parser to disable external entity resolution.

What I need to do to resolve it.

MANISH KUMAR CHOUDHARY
  • 3,144
  • 2
  • 20
  • 30

4 Answers4

18

If you are not using external entity references in your XML, you can disable the resolver by setting it to null, from How to prevent XXE attack ( XmlDocument in .net)

XmlDocument xmlDoc = new XmlDocument();
xmlDoc.XmlResolver = null;
xmlDoc.LoadXml(OurOutputXMLString);

If you are expecting the document to contain entity references, then you will need to create a custom resolver and whitelist what you are expecting. Especially, any references to websites that you do not control.

Casey
  • 10,991
  • 17
  • 64
  • 105
6

Implement a custom XmlResolver and use it for reading the XML. By default, the XmlUrlResolver is used, which automatically downloads the resolved references.

public class CustomResolver : XmlUrlResolver
{
    public override object GetEntity(Uri absoluteUri, string role, Type ofObjectToReturn)
    {
        // base calls XmlUrlResolver.DownloadManager.GetStream(...) here
    }
}

And use it like this:

var settings = new XmlReaderSettings { XmlResolver = new CustomResolver() };
var reader = XmlReader.Create(fileName, settings);
var xDoc = XDocument.Load(reader);
György Kőszeg
  • 13,565
  • 3
  • 27
  • 53
  • 1
    I am using this code in windows project. Does it make any difference? – MANISH KUMAR CHOUDHARY Aug 25 '15 at 12:02
  • 1
    What goes inside of the GetEntity() method? – gene Oct 01 '15 at 19:02
  • @gene: Normally you should return a stream that contains the DTD or other external source. For example, if you have a document type like this ` `, the `GetEntity` is called with `absoluteUri == "MyDTD.dtd"`, and you should return a stream with its content. You can simply return an empty DTD so the entities defined in the DTD will remain unresolved. – György Kőszeg Oct 02 '15 at 10:30
  • I've done this and performed a rescan in Veracode but I'm getting the same issue. Any idea as to why? – jtate Jun 27 '17 at 17:13
2

According to the official OWASP documentation you need to do this:

Use of XercesDOMParser do this to prevent XXE:

XercesDOMParser *parser = new XercesDOMParser;
parser->setCreateEntityReferenceNodes(false);

Use of SAXParser, do this to prevent XXE:

SAXParser* parser = new SAXParser;
parser->setDisableDefaultEntityResolution(true);

Use of SAX2XMLReader, do this to prevent XXE:

SAX2XMLReader* reader = XMLReaderFactory::createXMLReader();
parser->setFeature(XMLUni::fgXercesDisableDefaultEntityResolution, true);

Take a look at these guide: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html

jfcorugedo
  • 8,104
  • 7
  • 33
  • 45
0

you can try this way:

XmlDocument doc = new XmlDocument() { XmlResolver = null };
System.IO.StringReader sreader = new System.IO.StringReader(fileName);
XmlReader reader = XmlReader.Create(sreader, new XmlReaderSettings() { XmlResolver = null });
doc.Load(reader);
Josef
  • 836
  • 10
  • 16
nagendra
  • 1
  • 2