8

我们正在使用 veracode 对我们的代码进行安全分析,并显示以下代码的 XXE 缺陷,特别是在调用 Deserialize() 的地方。我们如何防止序列化程序访问外部实体。我在下面为 XMLReader 将 XMLresolver 设置为 null 的尝试不起作用。

    public static T DeserializeObject(string xml, string Namespace)
    {
        System.Xml.Serialization.XmlSerializer serializer = new System.Xml.Serialization.XmlSerializer(typeof(T), Namespace);

        MemoryStream stream =
                new MemoryStream(Encoding.Default.GetBytes(xml));
        XmlReaderSettings settings = new XmlReaderSettings();

        // allow entity parsing but do so more safely
        settings.DtdProcessing = DtdProcessing.Ignore;
        settings.XmlResolver = null;

        using (XmlReader reader = XmlReader.Create(stream, settings))
        {
            return serializer.Deserialize(reader) as T;
        }
    }

任何人都可以建议我可能缺少什么,或者是否有其他尝试。

4

1 回答 1

2

我有类似的问题。当您从字符串中读取时,您需要使用 xmlTextReader 更改 xmlReader。

像这样的东西 -

  public static T DeserializeObject(string xml, string Namespace)
  {
        System.Xml.Serialization.XmlSerializer serializer = new System.Xml.Serialization.XmlSerializer(typeof(T), Namespace);

        //**** I don't think you need this block of code *********
        //MemoryStream stream = new MemoryStream(Encoding.Default.GetBytes(xml));
        //XmlReaderSettings settings = new XmlReaderSettings();

        // allow entity parsing but do so more safely
        //settings.DtdProcessing = DtdProcessing.Ignore;
        //settings.XmlResolver = null;
        //*********************************************

        XmlTextReader reader = new XmlTextReader(xml)
        {
            XmlResolver = null
        };

        return serializer.Deserialize(reader) as T;
  }

一切顺利!

于 2018-05-09T04:34:19.610 回答