c# - XXE:使用 XDocument 对 XML 外部实体引用的不当限制

Question

因此，当我对我的应用程序运行安全扫描时遇到了问题。 It turns out that I am failing to protect against XXE . 这是一个显示有问题的代码的简短片段:

static void Main()
        {
            string inp = Console.ReadLine();
            string xmlStr = ""; //This has a value that is much too long to put into a single post

            if (!string.IsNullOrEmpty(inp))
            {
                xmlStr = inp;
            }
            XmlDocument xmlDocObj = new XmlDocument {XmlResolver = null};
            xmlDocObj.LoadXml(xmlStr);
            XmlNodeList measureXmlNodeListObj = xmlDocObj.SelectNodes("REQ/MS/M");

            foreach (XmlNode measureXmlNodeObj in measureXmlNodeListObj)
            {
                XmlNode detailXmlNodeListObj = xmlDocObj.SelectSingleNode("REQ/DTD");
                string measureKey = measureXmlNodeObj.Attributes["KY"].Value;
                if (detailXmlNodeListObj.Attributes["MKY"].Value ==
                    measureKey) //Checking if selected MeasureKey is same 
                {
                    XmlNode filerNode = measureXmlNodeObj.SelectSingleNode("FS");

                    if (filerNode != null)
                    {

                        XDocument fixedFilterXmlObj = XDocument.Load(new StringReader(filerNode.OuterXml));

                        var measureFixedFilters = (from m in fixedFilterXmlObj.Element("FS").Elements("F")
                            select m).ToList();
                        foreach (var fixedFilter in measureFixedFilters)
                        {
                            var fixedFilterValues = (from m in fixedFilter.Elements("VS").Elements("V")
                                select m.Attribute("DESC").Value).ToList();

                            foreach (var value in fixedFilterValues)
                            {
                                Console.WriteLine(value.Trim());
                            }
                        }
                    }
                }
            }
            Console.ReadLine();
        }

根据 Veracode，不安全的行是 XDocument fixedFilterXmlObj = XDocument.Load(new StringReader(filerNode.OuterXml));

但根据 Owsap 看来，it should be safe :

Both the XElement and XDocument objects in the System.Xml.Linq library are safe from XXE injection by default. XElement parses only the elements within the XML file, so DTDs are ignored altogether. XDocument has DTDs disabled by default, and is only unsafe if constructed with a different unsafe XML parser.

所以看起来我犯了错误，使用了 usafe XML 解析器，打开 XDocument 到 XXE。

I found a unit test that replicates the issue并且还可以安全使用 XDocument 但我似乎无法找到我的代码到底有什么不安全的，因为我不使用:

XmlReaderSettings settings = new XmlReaderSettings();
settings.DtdProcessing = DtdProcessing.Parse;   // unsafe!

您可以运行我的代码来重现该问题，但您应该将空 xmlStr 行替换为以下值:here (对于一个帖子来说太大了)

Answer 1

我不确定它是如何或为什么起作用的，但确实如此:

XDocument fixedFilterXmlObj;
using (XmlNodeReader nodeReader = new XmlNodeReader(filerNode))
{
    nodeReader.MoveToContent();
    fixedFilterXmlObj = XDocument.Load(nodeReader);
}