我们正在使用veracode对代码进行安全性分析,并为下面的代码显示XXE缺陷,特别是在调用Deserialize()的情况下。我们如何防止序列化程序访问外部实体。我在下面尝试将XMLresolver的XMLresolver设置为null无效。
public static T DeserializeObject(string xml, string Namespace)
{
System.Xml.Serialization.XmlSerializer serializer = new System.Xml.Serialization.XmlSerializer(typeof(T), Namespace);
MemoryStream stream =
new MemoryStream(Encoding.Default.GetBytes(xml));
XmlReaderSettings settings = new XmlReaderSettings();
// allow entity parsing but do so more safely
settings.DtdProcessing = DtdProcessing.Ignore;
settings.XmlResolver = null;
using (XmlReader reader = XmlReader.Create(stream, settings))
{
return serializer.Deserialize(reader) as T;
}
}
任何人都可以提出我可能会遗漏的内容,或者是否有其他事情需要尝试。
答案 0 :(得分:0)
我有类似的问题。当您从字符串中读取时,需要使用xmlTextReader更改xmlReader。
这样的事情 -
public static T DeserializeObject(string xml, string Namespace)
{
System.Xml.Serialization.XmlSerializer serializer = new System.Xml.Serialization.XmlSerializer(typeof(T), Namespace);
//**** I don't think you need this block of code *********
//MemoryStream stream = new MemoryStream(Encoding.Default.GetBytes(xml));
//XmlReaderSettings settings = new XmlReaderSettings();
// allow entity parsing but do so more safely
//settings.DtdProcessing = DtdProcessing.Ignore;
//settings.XmlResolver = null;
//*********************************************
XmlTextReader reader = new XmlTextReader(xml)
{
XmlResolver = null
};
return serializer.Deserialize(reader) as T;
}
一切顺利!