1

I'm trying to protect against malicious XXE injections in the XMLs processed by my app. Therefore I'm using XDocument instead of XmlDocument.

The XML represents the payload of a web request so I call XDocument.Parse on its string content. However, I'm seeing the XXE references contained in the XML (&XXE) being replaced in the result with the actual value of ENTITY xxe.

Is it possible to parse the XML with XDocument without replacing &xxe ?

Thanks

EDIT: I managed to avoid the replacement of xxes in the XML using XmlResolver=null for XDocument.Load

freshbm
  • 5,540
  • 5
  • 46
  • 75
Horia Toma
  • 1,099
  • 2
  • 17
  • 29

2 Answers2

0

Instead of Parse try to use Load with a pre-configured reader:

var xdoc = XDocument.Load(new XmlTextReader(
    new StringReader(xmlContent)) { EntityHandling = EntityHandling.ExpandCharEntities });

From MSDN:

When EntityHandling is set to ExpandCharEntities, the reader expands character entities and returns general entities as EntityReference nodes.

György Kőszeg
  • 17,093
  • 6
  • 37
  • 65
  • I don't want to expand the entities, that would mean I'm injected. – Horia Toma Oct 21 '15 at 11:58
  • This will expand only the character entities, such as `A` but preserves any other entities, like `&XEE;`. At least, the `XmlReader` will return `XmlNodeType.EntityReference` instead of text. See the Remarks here: https://msdn.microsoft.com/en-us/library/system.xml.xmltextreader.entityhandling%28v=vs.110%29.aspx – György Kőszeg Oct 21 '15 at 16:52
0

Use the following example to stop resolving XXE (schemas and DTD).

Dim objXmlReader As System.Xml.XmlTextReader = Nothing
objXmlReader = New System.Xml.XmlTextReader(_patternFilePath)
objXmlReader.XmlResolver = Nothing
patternDocument = XDocument.Load(objXmlReader)
Stephen Kennedy
  • 20,585
  • 22
  • 95
  • 108
Pramod Gadekar
  • 31
  • 4