fix: prevent XXE vulnerability in XML parser (CVE-2017-9096)

[michaelcheers]

PR Checklist

Please check if your PR fulfills the following requirements:

• The commit message follows Conventional Commits
• Tests for the changes have been added (for bug fixes / features)
• Docs have been added / updated (for bug fixes / features)

PR Type

What kind of change does this PR introduce?

• Bugfix
• Feature
• Refactoring (no functional changes, no api changes) - [ ] Other... Please describe:

What is the current behavior?

The XML parser in ParserBase.cs creates XmlReader instances without configuring secure settings, leaving it vulnerable to XML External Entity (XXE) attacks (CVE-2017-9096). An attacker could exploit this by providing a malicious PDF containing crafted XML to:

• Read arbitrary files from the server
• Perform Server-Side Request Forgery (SSRF) attacks
• Cause Denial of Service

This affects any application using iTextSharp.LGPLv2.Core to process untrusted PDFs on the server side.

What is the new behavior?

XmlReader.Create() now uses secure XmlReaderSettings that:

• Set DtdProcessing = DtdProcessing.Prohibit to disable DTD processing
• Set XmlResolver = null to prevent resolution of external entities

This prevents XXE attacks while maintaining all existing functionality for legitimate XML processing within PDFs.

Does this PR introduce a breaking change?

• Yes
• No

The change only affects the internal XML parsing behavior and does not modify any public APIs or expected functionality. All legitimate use cases continue to work unchanged.

Other information

This fix addresses CVE-2017-9096, which affected the original iText library (versions before 5.5.12). Since iTextSharp.LGPLv2.Core is based on iTextSharp 4.1.6 (equivalent to iText 2.1.7), it inherited this vulnerability.

[gemini-code-assist]

Summary of Changes

Hello @michaelcheers, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request implements a critical security fix to prevent XML External Entity (XXE) vulnerabilities in the XML parsing logic of the iTextSharp.LGPLv2.Core library. By configuring XmlReader with secure settings that prohibit DTD processing and external entity resolution, the change significantly enhances the application's resilience against various XML-based attacks without introducing any breaking changes to existing functionality.

Highlights

• Security Fix: This pull request addresses and mitigates an XML External Entity (XXE) vulnerability (CVE-2017-9096) present in the XML parser.
• Secure XML Parsing: The XmlReader instances are now configured with secure settings to prevent malicious exploitation. Specifically, DtdProcessing is set to Prohibit and XmlResolver is set to null.
• Vulnerability Prevention: These changes prevent potential attacks such as arbitrary file reading, Server-Side Request Forgery (SSRF), and Denial of Service (DoS) through crafted XML within untrusted PDFs.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[what-the-diff]

PR Summary

• Enhanced Security in XML Reader Creation
  • The way the XmlReader is created in the Parse methods has been updated to provide enhanced security. This is done with the use of a feature known as XmlReaderSettings.
    • The settings include a provision called DtdProcessing which is now set to Prohibit. This simply means that Document Type Definitions (DTDs) have been disallowed, enhancing the security of the application against any potential misuse of DTDs.
    • It also includes another feature XmlResolver which has now been set to null. This prevents external XML entities from being resolved which further enhances the security of the operation.

[gemini-code-assist]

Code Review

This pull request effectively addresses the XXE vulnerability (CVE-2017-9096) by configuring the XmlReader with secure settings (DtdProcessing.Prohibit and XmlResolver = null) in ParserBase.cs. This is a critical security fix. My review includes a suggestion to refactor the new code to reduce duplication, improving maintainability. Additionally, for consistency and to promote secure practices throughout the codebase, you might consider applying similar secure settings to the XmlReader creation in XmlITextTests.cs in a future change, even though it's in test code.

[gemini-code-assist]

To improve maintainability and avoid code duplication, consider extracting these XmlReaderSettings into a private static readonly field. The same settings are configured again in the Parse(string url) method. Centralizing this configuration would make it easier to manage and ensure consistency.

[gemini-code-assist]

This is the second instance of the XmlReaderSettings configuration. As mentioned in the other comment, creating a shared private static readonly field for these settings would eliminate this code duplication and improve the overall maintainability of the class.

[VahidN]

@michaelcheers
Thanks. It seems we have more XmlReader's to fix: https://github.com/search?q=repo%3AVahidN%2FiTextSharp.LGPLv2.Core%20XmlReader.Create&type=code
Would you please add this config as a public static readonly field to these locations as well?

[michaelcheers]

@VahidN I've updated the PR to:

1. Extract the XmlReaderSettings as a public static readonly field SecureXmlReaderSettings in ParserBase
2. Apply it to all XmlReader.Create calls in the codebase:

• ParserBase.cs (2 locations)
• XmpReader.cs
• XfaForm.cs