1

由于几个 CWE-611:XML 外部实体引用的不当限制 ('XXE') 错误,我们最近未能通过 Veracode 安全扫描。

有几个关于这个主题的问题被问到并得到了回答,我尝试使用提供的解决方案,但没有得到他们的帮助。他们为我们拥有的其他人工作,但那些都处理 XmlDocument()。这个没有。问题是这样的声明:

authObj = serializer.Deserialize(New IO.StringReader(xml))

它大约下降了 4/5(从底部向上约 19 行。这是代码:

Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As EventArgs)
    ' Fires upon attempting to authenticate the use
    Dim authCookie As HttpCookie = Context.Request.Cookies("MoHWoRXAuth")

    Dim blnLogRequest As Boolean = Context.Request.QueryString.Count > 0 AndAlso _
                                    (Context.Request.QueryString(0).ToLower() = "logs" OrElse Context.Request.QueryString("logfile") IsNot Nothing)

    If blnLogRequest Then
        authCookie = Context.Request.Cookies(FormsAuthentication.FormsCookieName)
        If authCookie Is Nothing Then
            Response.Redirect("***" & Context.Server.UrlEncode(Context.Request.Url.OriginalString), False)
        End If
    End If

    ' NOTE
    ' I guess we have to make the user every time from the auth ticket.
    If authCookie Is Nothing Then
        ' no auth ticket yet
        Exit Sub
    End If
    Dim authTicket As FormsAuthenticationTicket
    Try
        authTicket = FormsAuthentication.Decrypt(authCookie.Value)
    Catch ex As Exception
        'TODO log this 
        Exit Sub
    End Try
    If authTicket Is Nothing Then
        'decrypt failed...probably should log
        Exit Sub
    End If

    Dim rl As New ArrayList()
    If blnLogRequest Then
        Dim c As CurrentUser = CurrentUser.CreateFromXML(authTicket.UserData())

        Dim r As dhss.mohsaic.web.classes.Role
        For Each r In c.CurrentAgency.RoleList
            rl.Add(r.RoleName)
        Next
    Else
        Dim xml As String = authTicket.UserData
        Dim authObj As Object = Nothing
        Dim serializer As System.Xml.Serialization.XmlSerializer = Nothing            
        If xml.Contains("<CensusLoginInfo") Then
            serializer = New System.Xml.Serialization.XmlSerializer(GetType(MoHWoRXCensus_Business.CensusLoginInfo))
        End If
        If serializer IsNot Nothing Then
            authObj = serializer.Deserialize(New IO.StringReader(xml))
            rl.Add("Provider") 'mark this user as a provider since they've logged in
        End If
    End If

    If authTicket IsNot Nothing Then
        HttpContext.Current.Items("authTicket") = authCookie.Value
    End If

    Dim fid As New FormsIdentity(authTicket)
    Dim gp As New System.Security.Principal.GenericPrincipal(fid, rl.ToArray(GetType(String)))
    Context.User = gp

    ''this line allows log requests to be processed thru the server by development staff - bypassing 
    ''the wait time associated with sending a log file IM request
    ''TODO: how do we pass WCF links thru the chain?
    'ErrorLogWriter.processLogRequest()

End Sub

我见过的其他人的解决方案包括添加以下代码行:

Dim settings = New XmlReaderSettings()
''allow entity parsing but do so more safely
settings.DtdProcessing = DtdProcessing.Ignore
settings.XmlResolver = Nothing

这适用于许多 Veracode 故障,但不适用于这一故障。

4

0 回答 0