由于多个CWE-611:XML外部实体参考(' XXE')错误的不当限制,我们最近未通过Veracode安全扫描。
关于这个主题已经有几个问题被问到并回答了,我已经尝试过使用所提供的解决方案,但我们没有与他们在一起。他们在我们拥有的其他人身上工作但是那些都处理了XmlDocument()。这个没有。问题是这句话:
authObj = serializer.Deserialize(New IO.StringReader(xml))
它大约是4/5向下(从底部向上约19行。这是代码:
Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As EventArgs)
' Fires upon attempting to authenticate the use
Dim authCookie As HttpCookie = Context.Request.Cookies("MoHWoRXAuth")
Dim blnLogRequest As Boolean = Context.Request.QueryString.Count > 0 AndAlso _
(Context.Request.QueryString(0).ToLower() = "logs" OrElse Context.Request.QueryString("logfile") IsNot Nothing)
If blnLogRequest Then
authCookie = Context.Request.Cookies(FormsAuthentication.FormsCookieName)
If authCookie Is Nothing Then
Response.Redirect("***" & Context.Server.UrlEncode(Context.Request.Url.OriginalString), False)
End If
End If
' NOTE
' I guess we have to make the user every time from the auth ticket.
If authCookie Is Nothing Then
' no auth ticket yet
Exit Sub
End If
Dim authTicket As FormsAuthenticationTicket
Try
authTicket = FormsAuthentication.Decrypt(authCookie.Value)
Catch ex As Exception
'TODO log this
Exit Sub
End Try
If authTicket Is Nothing Then
'decrypt failed...probably should log
Exit Sub
End If
Dim rl As New ArrayList()
If blnLogRequest Then
Dim c As CurrentUser = CurrentUser.CreateFromXML(authTicket.UserData())
Dim r As dhss.mohsaic.web.classes.Role
For Each r In c.CurrentAgency.RoleList
rl.Add(r.RoleName)
Next
Else
Dim xml As String = authTicket.UserData
Dim authObj As Object = Nothing
Dim serializer As System.Xml.Serialization.XmlSerializer = Nothing
If xml.Contains("<CensusLoginInfo") Then
serializer = New System.Xml.Serialization.XmlSerializer(GetType(MoHWoRXCensus_Business.CensusLoginInfo))
End If
If serializer IsNot Nothing Then
authObj = serializer.Deserialize(New IO.StringReader(xml))
rl.Add("Provider") 'mark this user as a provider since they've logged in
End If
End If
If authTicket IsNot Nothing Then
HttpContext.Current.Items("authTicket") = authCookie.Value
End If
Dim fid As New FormsIdentity(authTicket)
Dim gp As New System.Security.Principal.GenericPrincipal(fid, rl.ToArray(GetType(String)))
Context.User = gp
''this line allows log requests to be processed thru the server by development staff - bypassing
''the wait time associated with sending a log file IM request
''TODO: how do we pass WCF links thru the chain?
'ErrorLogWriter.processLogRequest()
End Sub
我见过的其他人的解决方案包括添加以下代码行:
Dim settings = New XmlReaderSettings()
''allow entity parsing but do so more safely
settings.DtdProcessing = DtdProcessing.Ignore
settings.XmlResolver = Nothing
这适用于许多Veracode的失败,但不适用于此。