8

Is the .NET method XmlSerializer.Deserialize(TextReader) safe from XML vulnerabilities (XXE, XmlBomb etc..)? Will the DTD be processed during deserialization?

I can understand why XmlSerializer.Deserialize(XmlTextReader) can be unsafe if XmlTextReader.DtdProcessing is set to DtdProcessing.Parse. But is it also unsafe when we use a TextReader?

Anders
  • 64,406
  • 24
  • 178
  • 215
Nagarjuna Borra
  • 315
  • 2
  • 7
  • Since deserializers are interpreters, they are inherently unsafe. As a start, you may want to read about it here https://www.owasp.org/index.php/Deserialization_of_untrusted_data and here https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180307-acs2. I have not heard about concrete vulnerabilities in .NET though. – Marcel Jun 27 '18 at 12:50

1 Answers1

7

Took a peek into the XmlSerializer.Deserialize code

XmlSerializer.Deserialize(TextReader) internally calls the other override - XmlSerializer.Deserialize(XmlTextReader) with XmlResolver set to null, so it should be safe from XXE attacks, however if do you want to disable dtd processing altogether, below should be used instead.

var xmlTextReader = new XmlTextReader(xmlInput) { DtdProcessing = DtdProcessing.Ignore/Prohibit };
xmlSerializer.Deserialize(xmlTextReader);

However, I don't see any benefit in disabling DTD processing altogether(especially when it could potentially impact your time tested code). From my understanding, there are only two xml attacks - XXE & XmlBomb.

As previously mentioned, XXE should not be possible because XmlResolver is set to null.

XmlBomb should also be not possible because MaxCharactersFromEntities is set to a limited value instead of 0(0 means no limit). If you do try this attack, you'll face an exception saying - "The input document has exceeded a limit set by MaxCharactersFromEntities." instead of having the application crash or have a DoS attack.

Nagarjuna Borra
  • 315
  • 2
  • 7