fix: secure XML loading against external entity injection (!319)

mr: !319 issue:

fix: secure XML loading against external entity injection (!319)
88c60075 · Stefanos DOUMPOULAKIS · 2e2574d7 · 947a1964 · 88c60075 · 88c60075
Commit 88c60075 authored 2 months ago by Stefanos DOUMPOULAKIS
--- a/VectoCore/VectoCore/InputData/FileIO/JSON/JSONInputData.cs
+++ b/VectoCore/VectoCore/InputData/FileIO/JSON/JSONInputData.cs
@@ -774,10 +774,9 @@ namespace TUGraz.VectoCore.InputData.FileIO.JSON

 		public void ValidateSimulationToolVersion()
 		{
-			var xmlDoc = new XmlDocument();
-			xmlDoc.Load(Path.Combine(Path.GetFullPath(BasePath), Body["ManufacturerRecord"].Value<string>()));
-			
-			string simToolVersionStr = XMLManufacturerReportReader.ReadElementValue(xmlDoc, "SimulationToolVersion");
+			var xmlDoc = XMLHelper.SecureLoadXML(Path.Combine(Path.GetFullPath(BasePath), Body["ManufacturerRecord"].Value<string>()));
+
+            string simToolVersionStr = XMLManufacturerReportReader.ReadElementValue(xmlDoc, "SimulationToolVersion");
 			string vectoVersionStr = VectoSimulationCore.VersionNumber;

 			bool xmlVersionNewer = VersioningUtil.CompareVersions(simToolVersionStr, vectoVersionStr) > 0;
@@ -789,10 +788,9 @@ namespace TUGraz.VectoCore.InputData.FileIO.JSON

 		public void ValidateHash()
 		{
-			var xmlDoc = new XmlDocument();
-			xmlDoc.Load(Path.Combine(Path.GetFullPath(BasePath), Body["ManufacturerRecord"].Value<string>()));
-			
-			var signatureNode = xmlDoc.SelectSingleNode("//*[local-name()='Signature']");
+			var xmlDoc = XMLHelper.SecureLoadXML(Path.Combine(Path.GetFullPath(BasePath), Body["ManufacturerRecord"].Value<string>()));
+
+            var signatureNode = xmlDoc.SelectSingleNode("//*[local-name()='Signature']");
 			var signatureDigest = new DigestData(signatureNode);

 			var hash = XMLHashProvider.ComputeHash(xmlDoc, signatureDigest.Reference.Remove(0, 1), signatureDigest.CanonicalizationMethods,
@@ -807,8 +805,8 @@ namespace TUGraz.VectoCore.InputData.FileIO.JSON

 		private void ReadManufacturerReport()
 		{
-			var xmlDoc = new XmlDocument();
-			xmlDoc.Load(Path.Combine(Path.GetFullPath(BasePath), Body["ManufacturerRecord"].Value<string>()));
+			var xmlDoc = XMLHelper.SecureLoadXML(Path.Combine(Path.GetFullPath(BasePath), Body["ManufacturerRecord"].Value<string>()));
+
 			var components = XMLManufacturerReportReader.GetContainingComponents(xmlDoc).GroupBy(s => s)
 														.Select(g => new { Entry = g.Key, Count = g.Count() });
 			_componentDigests = new Dictionary<VectoComponents, IList<string>>();

--- a/VectoCore/VectoCore/Utils/XMLHelper.cs
+++ b/VectoCore/VectoCore/Utils/XMLHelper.cs
@@ -33,6 +33,7 @@ using System;
 using System.Collections.Generic;
 using System.IO;
 using System.Linq;
+using System.Text;
 using System.Xml;
 using System.Xml.Linq;
 using System.Xml.Schema;
@@ -436,7 +437,20 @@ namespace TUGraz.VectoCore.Utils
 			return type;
        }
 		
+		public static XmlDocument SecureLoadXML(string filePath)
+		{
+            var document = new XmlDocument();
+            MemoryStream stream = new MemoryStream(File.ReadAllBytes(filePath));
+			
+			XmlReaderSettings settings = new XmlReaderSettings() { DtdProcessing = DtdProcessing.Ignore, XmlResolver = null };
+            
+			document.Load(XmlReader.Create(stream, settings));

+			stream.Close();
+			stream.Dispose();
+
+			return document;
+		}

 	}
 }
\ No newline at end of file