This site uses cookies. Visit our cookies policy page or click the link in any footer for more information and to change your preferences.

Accept all cookies Accept only essential cookies

Code development platform for open source projects from the European Union institutions :large_blue_circle: EU Login authentication by SMS has been phased out. To see alternatives please check here

Skip to content
Snippets Groups Projects
Commit 947a1964 authored by Stefanos Doumpoulakis's avatar Stefanos Doumpoulakis
Browse files

fix: secure XML loading against external entity injection

parent 2e2574d7
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
VectoCore/VectoCore/InputData/FileIO/JSON/JSONInputData.cs
+ 8
10
View file @ 947a1964
......@@ -774,8 +774,7 @@ namespace TUGraz.VectoCore.InputData.FileIO.JSON
public void ValidateSimulationToolVersion()
{
var xmlDoc = new XmlDocument();
xmlDoc.Load(Path.Combine(Path.GetFullPath(BasePath), Body["ManufacturerRecord"].Value<string>()));
var xmlDoc = XMLHelper.SecureLoadXML(Path.Combine(Path.GetFullPath(BasePath), Body["ManufacturerRecord"].Value<string>()));
string simToolVersionStr = XMLManufacturerReportReader.ReadElementValue(xmlDoc, "SimulationToolVersion");
string vectoVersionStr = VectoSimulationCore.VersionNumber;
......@@ -789,8 +788,7 @@ namespace TUGraz.VectoCore.InputData.FileIO.JSON
public void ValidateHash()
{
var xmlDoc = new XmlDocument();
xmlDoc.Load(Path.Combine(Path.GetFullPath(BasePath), Body["ManufacturerRecord"].Value<string>()));
var xmlDoc = XMLHelper.SecureLoadXML(Path.Combine(Path.GetFullPath(BasePath), Body["ManufacturerRecord"].Value<string>()));
var signatureNode = xmlDoc.SelectSingleNode("//*[local-name()='Signature']");
var signatureDigest = new DigestData(signatureNode);
......@@ -807,8 +805,8 @@ namespace TUGraz.VectoCore.InputData.FileIO.JSON
private void ReadManufacturerReport()
{
var xmlDoc = new XmlDocument();
xmlDoc.Load(Path.Combine(Path.GetFullPath(BasePath), Body["ManufacturerRecord"].Value<string>()));
var xmlDoc = XMLHelper.SecureLoadXML(Path.Combine(Path.GetFullPath(BasePath), Body["ManufacturerRecord"].Value<string>()));
var components = XMLManufacturerReportReader.GetContainingComponents(xmlDoc).GroupBy(s => s)
.Select(g => new { Entry = g.Key, Count = g.Count() });
_componentDigests = new Dictionary<VectoComponents, IList<string>>();
......
VectoCore/VectoCore/Utils/XMLHelper.cs
+ 14
0
View file @ 947a1964
......@@ -33,6 +33,7 @@ using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Text;
using System.Xml;
using System.Xml.Linq;
using System.Xml.Schema;
......@@ -436,7 +437,20 @@ namespace TUGraz.VectoCore.Utils
return type;
}
public static XmlDocument SecureLoadXML(string filePath)
{
var document = new XmlDocument();
MemoryStream stream = new MemoryStream(File.ReadAllBytes(filePath));
XmlReaderSettings settings = new XmlReaderSettings() { DtdProcessing = DtdProcessing.Ignore, XmlResolver = null };
document.Load(XmlReader.Create(stream, settings));
stream.Close();
stream.Dispose();
return document;
}
}
}
\ No newline at end of file
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment

For further information about the platform and support, please see https://code.europa.eu/info/about