Description
XmlServiceValidator.cs deserializes XML using XmlSerializer.Deserialize(StringReader) without safe XmlReaderSettings, unlike XmlServiceSerializer.cs which correctly uses DtdProcessing.Prohibit.
Location
src/Servy.Core/Helpers/XmlServiceValidator.cs, lines 47-51
Problematic code
var serializer = new XmlSerializer(typeof(ServiceDto));
using (var reader = new StringReader(xml))
{
dto = serializer.Deserialize(reader) as ServiceDto;
}Secure version (already used in XmlServiceSerializer.cs)
var settings = new XmlReaderSettings
{
DtdProcessing = DtdProcessing.Prohibit,
XmlResolver = null,
};
using var xmlReader = XmlReader.Create(reader, settings);
dto = serializer.Deserialize(xmlReader) as ServiceDto;Severity
Critical — External entities could be processed from untrusted XML input.
Suggested fix
Use XmlReader.Create with DtdProcessing = DtdProcessing.Prohibit and XmlResolver = null, matching what XmlServiceSerializer already does.
Description
XmlServiceValidator.csdeserializes XML usingXmlSerializer.Deserialize(StringReader)without safeXmlReaderSettings, unlikeXmlServiceSerializer.cswhich correctly usesDtdProcessing.Prohibit.Location
src/Servy.Core/Helpers/XmlServiceValidator.cs, lines 47-51Problematic code
Secure version (already used in XmlServiceSerializer.cs)
Severity
Critical — External entities could be processed from untrusted XML input.
Suggested fix
Use
XmlReader.CreatewithDtdProcessing = DtdProcessing.ProhibitandXmlResolver = null, matching whatXmlServiceSerializeralready does.