How to configure the XML parser to disable external entity resolution in c#

Question

var xDoc = XDocument.Load(fileName);

I am using above code in a function to load an XML file. Functionality wise its working fine but it is showing

Answer 1

If you are not using external entity references in your XML, you can disable the resolver by setting it to null, from How to prevent XXE attack ( XmlDocument in .net)

XmlDocument xmlDoc = new XmlDocument();
xmlDoc.XmlResolver = null;
xmlDoc.LoadXml(OurOutputXMLString);

If you are expecting the document to contain entity references, then you will need to create a custom resolver and whitelist what you are expecting. Especially, any references to websites that you do not control.

Answer 2

According to the official OWASP documentation you need to do this:

Use of XercesDOMParser do this to prevent XXE:

XercesDOMParser *parser = new XercesDOMParser;
parser->setCreateEntityReferenceNodes(false);

Use of SAXParser, do this to prevent XXE:

SAXParser* parser = new SAXParser;
parser->setDisableDefaultEntityResolution(true);

Use of SAX2XMLReader, do this to prevent XXE:

SAX2XMLReader* reader = XMLReaderFactory::createXMLReader();
parser->setFeature(XMLUni::fgXercesDisableDefaultEntityResolution, true);

Take a look at these guide: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html

Answer 3

Implement a custom XmlResolver and use it for reading the XML. By default, the XmlUrlResolver is used, which automatically downloads the resolved references.

public class CustomResolver : XmlUrlResolver
{
    public override object GetEntity(Uri absoluteUri, string role, Type ofObjectToReturn)
    {
        // base calls XmlUrlResolver.DownloadManager.GetStream(...) here
    }
}

And use it like this:

var settings = new XmlReaderSettings { XmlResolver = new CustomResolver() };
var reader = XmlReader.Create(fileName, settings);
var xDoc = XDocument.Load(reader);