External XML entities are a feature of XML parsers that allow documents to contain references to other documents or data. This feature can be abused to read files, communicate with external hosts, exfiltrate data, or cause a Denial of Service (DoS).
1public void XmlExternalEntityNoncompliant(string str)
2{
3 XmlReaderSettings readersetting = new XmlReaderSettings();
4 // Noncompliant: `DtdProcessing.Parse` enables DTD processing.
5 readersetting.DtdProcessing = DtdProcessing.Parse;
6 XmlReader reader = XmlReader.Create(new StringReader(str),readersetting);
7
8 while (reader.Read())
9 {
10 Console.WriteLine(reader.Value);
11 }
12 Console.ReadLine();
13}
1public void XmlExternalEntityCompliant(string str)
2{
3 XmlReaderSettings readersetting = new XmlReaderSettings();
4 // Compliant: `DtdProcessing.Ignore` disables DTD processing without warnings or exceptions.
5 readersetting.DtdProcessing = DtdProcessing.Ignore;
6 XmlReader reader = XmlReader.Create(new StringReader(str),readersetting);
7
8 while (reader.Read())
9 {
10 Console.WriteLine(reader.Value);
11 }
12 Console.ReadLine();
13}