All geek questions in one place

How to prevent XML eXternal Entity (XXE) attack during .net deserialization

We conduct a security analysis of our code using veracode and show its flaw for the code below, in particular when calling Deserialize (). How can we prevent serializer from accessing external objects. My attempt below to set XMLresolver to null for XMLReader does not work.

public static T DeserializeObject(string xml, string Namespace) { System.Xml.Serialization.XmlSerializer serializer = new System.Xml.Serialization.XmlSerializer(typeof(T), Namespace); MemoryStream stream = new MemoryStream(Encoding.Default.GetBytes(xml)); XmlReaderSettings settings = new XmlReaderSettings(); // allow entity parsing but do so more safely settings.DtdProcessing = DtdProcessing.Ignore; settings.XmlResolver = null; using (XmlReader reader = XmlReader.Create(stream, settings)) { return serializer.Deserialize(reader) as T; } }

Can anyone suggest what I might lose, or if there is anything else to try.

+5
source share

No one has answered this question yet.

See similar questions:

or similar:

Source: https://habr.com/ru/post/1241428/

More articles:


All Articles