如何防止 XXE 攻击(.NET 中的 XmlDocument) [英] How to prevent XXE attack (XmlDocument in .NET)

问题描述

我们对代码进行了安全审核，他们提到我们的代码容易受到外部实体 (XXE) 攻击.我正在使用以下代码 -

We had a security audit on our code, and they mentioned that our code is vulnerable to EXternal Entity (XXE) attack. I am using following code -

string OurOutputXMLString=
"<ce><input><transaction><length>00000</length><tran_type>Login</tran_type></transaction><user><user_id>ce_userid</user_id><subscriber_name>ce_subscribername</subscriber_name><subscriber_id>ce_subscriberid</subscriber_id><group_id>ce_groupid</group_id><permissions></permissions></user><consumer><login_details><username>UnitTester9</username><password>pDhE5AsKBHw85Sqgg6qdKQ==</password><pin>tOlkiae9epM=</pin></login_details></consumer></input></ce>"

 XmlDocument xmlDoc = new XmlDocument();
 xmlDoc.LoadXml(OurOutputXMLString);

在审计报告中，他们说它失败了，因为 XML 实体可能包含可以在预期控制之外解析的 URL.XML 实体解析器将尝试解析和检索外部引用.如果攻击者控制的 XML 可以提交给这些函数之一，那么攻击者就可以获得有关内部网络、本地文件系统或其他敏感数据的信息.为了避免这种情况，我编写了以下代码，但它不起作用.

In the audit report they say that it's failing because an XML entity can contain URLs that can resolve outside of intended control. XML entity resolver will attempt to resolve and retrieve external references. If attacker-controlled XML can be submitted to one of these functions, then the attacker could gain access to information about an internal network, local filesystem, or other sensitive data. To avoid this I wrote the following code but it doesn't work.

MemoryStream stream =
    new MemoryStream(System.Text.Encoding.Default.GetBytes(OurOutputXMLString));

XmlReaderSettings settings = new XmlReaderSettings();

settings.DtdProcessing = DtdProcessing.Prohibit;
settings.MaxCharactersFromEntities = 6000;
XmlReader reader = XmlReader.Create(stream, settings);
XmlDocument xmlDoc = new XmlDocument();
xmlDoc.Load(reader);

但是我在这里可以看到 reader 没有任何值可以加载到 xmlDoc(XmlDocument) 中.任何人都可以帮助我丢失的东西吗?

But I can see here that reader does not have any value to load into xmlDoc(XmlDocument). Can anyone help where I am missing things?

推荐答案

使用通过 XmlDocument.XmlResolver 属性提供的 XmlResolver 解析外部资源.如果您的 XML 文档 ** 不应包含任何外部资源 **(例如 DTD 或模式)，只需将此属性设置为 null:

External resources are resolved using the XmlResolver provided via XmlDocument.XmlResolver property. If your XML documents **should not contain any external resource **(for example DTDs or schemas) simply set this property to null:

XmlDocument xmlDoc = new XmlDocument();
xmlDoc.XmlResolver = null;
xmlDoc.LoadXml(OurOutputXMLString);

如果您想过滤这些 URL 的来源(例如只允许某些域)，只需从 XmlUrlResolver 派生您自己的类并覆盖 ResolveUri() 方法.在那里，您可以检查 URL 是什么并对其进行清理(例如，您只能允许本地网络中的 URL 或来自可信来源的 URL).

If you want to filter where these URLs come from (for example to allow only certain domains) just derive your own class from XmlUrlResolver and override the ResolveUri() method. There you can check what the URL is and sanitize it (for example you can allow only URLs within your local network or from trusted sources).

例如:

class CustomUrlResovler : XmlUrlResolver
{
    public override Uri ResolveUri(Uri baseUri, string relativeUri)
    {
        Uri uri = new Uri(baseUri, relativeUri);
        if (IsUnsafeHost(uri.Host))
            return null;

        return base.ResolveUri(baseUri, relativeUri);
    }

    private bool IsUnsafeHost(string host)
    {
        return false; 
    }
}

其中 IsUnsafeHost() 是一个自定义函数，用于检查给定的主机是否被允许.看到这篇文章这里有几个想法.只需从 ResolveUri() 返回 null 即可保存您的代码免受此类攻击.如果允许 URI，您可以简单地返回默认的 XmlUrlResolver.ResolveUri() 实现.

Where IsUnsafeHost() is a custom function that check if the given host is allowed or not. See this post here on SO for few ideas. Just return null from ResolveUri() to save your code from this kind of attacks. In case the URI is allowed you can simply return the default XmlUrlResolver.ResolveUri() implementation.

使用:

XmlDocument xmlDoc = new XmlDocument();
xmlDoc.XmlResolver = new CustomUrlResolver();
xmlDoc.LoadXml(OurOutputXMLString);

有关如何解析 XML 外部资源的更多详细信息，请阅读 解析外部资源 在 MS Docs 上.如果您的代码比此示例更复杂，那么您绝对应该阅读 备注部分 XmlDocument.XmlResolver 属性.

For more details about how XML external resources are resolved just read Resolving External Resources on MS Docs. If your code is more complex than this example then you should definitely read Remarks section for XmlDocument.XmlResolver property.

这篇关于如何防止 XXE 攻击(.NET 中的 XmlDocument)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！