XmlServiceValidator: XXE vulnerability — XmlDocument loaded without disabling DTD processing

[Christophe-Rogiers]

Security Issue

XmlServiceValidator.TryValidate() loads user-provided XML using XmlDocument.LoadXml() without disabling DTD processing or setting XmlResolver = null. This is vulnerable to XML External Entity (XXE) attacks, allowing local file reads or SSRF.

The sibling XmlServiceSerializer.cs (line 18-22) correctly uses safe settings — this file does not.

Location

File: src/Servy.Core/Helpers/XmlServiceValidator.cs
Lines: 33-35 and 47-51

Code

// Line 33 — no DTD protection:
var xmlDoc = new XmlDocument();
xmlDoc.LoadXml(xml);

// Line 47 — deserialization from raw StringReader, no safe XmlReaderSettings:
var serializer = new XmlSerializer(typeof(ServiceDto));
using (var reader = new StringReader(xml))
{
    dto = serializer.Deserialize(reader) as ServiceDto;
}

Suggested Fix

Use an XmlReader with safe settings, matching the pattern already used in XmlServiceSerializer.cs:

var settings = new XmlReaderSettings
{
    DtdProcessing = DtdProcessing.Prohibit,
    XmlResolver = null
};

using (var stringReader = new StringReader(xml))
using (var xmlReader = XmlReader.Create(stringReader, settings))
{
    var xmlDoc = new XmlDocument();
    xmlDoc.Load(xmlReader);
}

And for deserialization:

using (var stringReader = new StringReader(xml))
using (var xmlReader = XmlReader.Create(stringReader, settings))
{
    dto = serializer.Deserialize(xmlReader) as ServiceDto;
}

Severity

Critical

[aelassas]

All fixed. Fix will be available in v7.9.