XElement.Parse && XDocument.Parse are vulnerable to XML injection in c#

Question

The below code are detected as XML injection by fortify. Please someone help me to fix the issue.

LockUserXml(string xml)
{
   var doc = XDocument.Parse(xml);
   ..
   ..
}

LocalUserXml(XmlElement root, ExportXmlParameter param)
{
   XElement rootElement = XElement.Parse(root.OuterXml);
   ..
   ..
   ..
}

Did my answer solve your problem? – Selim Yildiz Apr 19 '21 at 06:25 — Selim Yildiz, Apr 19 '21 at 06:25

score 0 · Accepted Answer · answered Apr 12 '21 at 21:31

From Microsoft doc:

How to fix XML violations

Don't write raw XML. Instead, use methods or properties that XML-encode their input.

Or, XML-encode input before writing raw XML.

Or, validate user input by using sanitizers for primitive type conversion and XML encoding

What you can do is that use Load instead of Parse with configured reader setting(See XmlReaderSettings) as following:

LockUserXml(string xml)
{
   var xmlReader = XmlReader.Create(new StringReader(xml), new XmlReaderSettings() { XmlResolver = null });
   var doc = XDocument.Load(xmlReader);
   ..
   ..
}

See also How to prevent XXE attack ( XmlDocument in .net)

XElement.Parse && XDocument.Parse are vulnerable to XML injection in c#

1 Answers1