“An insecure overload of” warning

Question

I have the following code:

using (FileStream fs = new FileStream(path_to_xml, FileMode.Open))
{
    using (XmlReader xr = XmlReader.Create(fs))
    {
        //          


        

Answer 1

Looking at the documentation of the warning explains the root cause and many possible fixes, but it boils down that the XML being readed can contain DTD references to potentially insecure places, and a carefully crafted document could represent a vulnerability. From the docs:

If you use insecure DtdProcessing instances or reference external entity sources, the parser may accept untrusted input and disclose sensitive information to attackers.

The problem lies in that the default settings of both XmlReader and XmlReaderSettings classes allow for such behavior. As the default presents this problem, you need to explictly set to a safe option, that ultimately boils down to setting DtdProcessing to DtdProcessing.Prohibit or XmlResolver to a XmlSecureResolver.

Back to your code, it can be changed as such:

using (XmlReader xr = XmlReader.Create(fs, new XmlReaderSettings() { DtdProcessing = DtdProcessing.Prohibit }))

or

using (XmlReader xr = XmlReader.Create(fs, new XmlReaderSettings() { XmlResolver = new XmlSecureResolver() }))