1

We recently failed a Veracode security scan due to several CWE-611: Improper Restriction of XML External Entity Reference ('XXE') errors.

There have been several questions on this topic asked and answered and I've tried using the solutions provided but am getting no where with them. They worked on others we had but those all dealt with XmlDocument(). This one doesn't. The problem is this statement:

authObj = serializer.Deserialize(New IO.StringReader(xml))

It's about 4/5 down (~19 lines up from bottom. Here is the code:

Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As EventArgs)
    ' Fires upon attempting to authenticate the use
    Dim authCookie As HttpCookie = Context.Request.Cookies("MoHWoRXAuth")

    Dim blnLogRequest As Boolean = Context.Request.QueryString.Count > 0 AndAlso _
                                    (Context.Request.QueryString(0).ToLower() = "logs" OrElse Context.Request.QueryString("logfile") IsNot Nothing)

    If blnLogRequest Then
        authCookie = Context.Request.Cookies(FormsAuthentication.FormsCookieName)
        If authCookie Is Nothing Then
            Response.Redirect("***" & Context.Server.UrlEncode(Context.Request.Url.OriginalString), False)
        End If
    End If

    ' NOTE
    ' I guess we have to make the user every time from the auth ticket.
    If authCookie Is Nothing Then
        ' no auth ticket yet
        Exit Sub
    End If
    Dim authTicket As FormsAuthenticationTicket
    Try
        authTicket = FormsAuthentication.Decrypt(authCookie.Value)
    Catch ex As Exception
        'TODO log this 
        Exit Sub
    End Try
    If authTicket Is Nothing Then
        'decrypt failed...probably should log
        Exit Sub
    End If

    Dim rl As New ArrayList()
    If blnLogRequest Then
        Dim c As CurrentUser = CurrentUser.CreateFromXML(authTicket.UserData())

        Dim r As dhss.mohsaic.web.classes.Role
        For Each r In c.CurrentAgency.RoleList
            rl.Add(r.RoleName)
        Next
    Else
        Dim xml As String = authTicket.UserData
        Dim authObj As Object = Nothing
        Dim serializer As System.Xml.Serialization.XmlSerializer = Nothing            
        If xml.Contains("<CensusLoginInfo") Then
            serializer = New System.Xml.Serialization.XmlSerializer(GetType(MoHWoRXCensus_Business.CensusLoginInfo))
        End If
        If serializer IsNot Nothing Then
            authObj = serializer.Deserialize(New IO.StringReader(xml))
            rl.Add("Provider") 'mark this user as a provider since they've logged in
        End If
    End If

    If authTicket IsNot Nothing Then
        HttpContext.Current.Items("authTicket") = authCookie.Value
    End If

    Dim fid As New FormsIdentity(authTicket)
    Dim gp As New System.Security.Principal.GenericPrincipal(fid, rl.ToArray(GetType(String)))
    Context.User = gp

    ''this line allows log requests to be processed thru the server by development staff - bypassing 
    ''the wait time associated with sending a log file IM request
    ''TODO: how do we pass WCF links thru the chain?
    'ErrorLogWriter.processLogRequest()

End Sub

The solutions for others I've seen consist of adding the following lines of code:

Dim settings = New XmlReaderSettings()
''allow entity parsing but do so more safely
settings.DtdProcessing = DtdProcessing.Ignore
settings.XmlResolver = Nothing

This worked for many of the Veracode failures but not on this one.

comfortablyNumb
  • 195
  • 1
  • 17

0 Answers0