Merge pull request #1596 from Thorium/security-maintenance

Potential XXE vulnerability fix on XML-parsing

Author: dsyme

src/AssemblyInfo.Csv.Core.fs

@@ -1,6 +1,5 @@
 // Auto-Generated by FAKE; do not edit
 namespace System
-
 open System.Reflection
 
 [<assembly: AssemblyTitleAttribute("FSharp.Data.Csv.Core")>]
@@ -11,17 +10,8 @@ open System.Reflection
 do ()
 
 module internal AssemblyVersionInformation =
-    [<Literal>]
-    let AssemblyTitle = "FSharp.Data.Csv.Core"
-
-    [<Literal>]
-    let AssemblyProduct = "FSharp.Data"
-
-    [<Literal>]
-    let AssemblyDescription = "Library of F# type providers and data access tools"
-
-    [<Literal>]
-    let AssemblyVersion = "6.6.0.0"
-
-    [<Literal>]
-    let AssemblyFileVersion = "6.6.0.0"
+    let [<Literal>] AssemblyTitle = "FSharp.Data.Csv.Core"
+    let [<Literal>] AssemblyProduct = "FSharp.Data"
+    let [<Literal>] AssemblyDescription = "Library of F# type providers and data access tools"
+    let [<Literal>] AssemblyVersion = "6.6.0.0"
+    let [<Literal>] AssemblyFileVersion = "6.6.0.0"

src/AssemblyInfo.DesignTime.fs

@@ -1,6 +1,5 @@
 // Auto-Generated by FAKE; do not edit
 namespace System
-
 open System.Reflection
 
 [<assembly: AssemblyTitleAttribute("FSharp.Data.DesignTime")>]
@@ -11,17 +10,8 @@ open System.Reflection
 do ()
 
 module internal AssemblyVersionInformation =
-    [<Literal>]
-    let AssemblyTitle = "FSharp.Data.DesignTime"
-
-    [<Literal>]
-    let AssemblyProduct = "FSharp.Data"
-
-    [<Literal>]
-    let AssemblyDescription = "Library of F# type providers and data access tools"
-
-    [<Literal>]
-    let AssemblyVersion = "6.6.0.0"
-
-    [<Literal>]
-    let AssemblyFileVersion = "6.6.0.0"
+    let [<Literal>] AssemblyTitle = "FSharp.Data.DesignTime"
+    let [<Literal>] AssemblyProduct = "FSharp.Data"
+    let [<Literal>] AssemblyDescription = "Library of F# type providers and data access tools"
+    let [<Literal>] AssemblyVersion = "6.6.0.0"
+    let [<Literal>] AssemblyFileVersion = "6.6.0.0"

src/AssemblyInfo.Html.Core.fs

@@ -1,6 +1,5 @@
 // Auto-Generated by FAKE; do not edit
 namespace System
-
 open System.Reflection
 
 [<assembly: AssemblyTitleAttribute("FSharp.Data.Html.Core")>]
@@ -11,17 +10,8 @@ open System.Reflection
 do ()
 
 module internal AssemblyVersionInformation =
-    [<Literal>]
-    let AssemblyTitle = "FSharp.Data.Html.Core"
-
-    [<Literal>]
-    let AssemblyProduct = "FSharp.Data"
-
-    [<Literal>]
-    let AssemblyDescription = "Library of F# type providers and data access tools"
-
-    [<Literal>]
-    let AssemblyVersion = "6.6.0.0"
-
-    [<Literal>]
-    let AssemblyFileVersion = "6.6.0.0"
+    let [<Literal>] AssemblyTitle = "FSharp.Data.Html.Core"
+    let [<Literal>] AssemblyProduct = "FSharp.Data"
+    let [<Literal>] AssemblyDescription = "Library of F# type providers and data access tools"
+    let [<Literal>] AssemblyVersion = "6.6.0.0"
+    let [<Literal>] AssemblyFileVersion = "6.6.0.0"

src/AssemblyInfo.Http.fs

@@ -1,6 +1,5 @@
 // Auto-Generated by FAKE; do not edit
 namespace System
-
 open System.Reflection
 
 [<assembly: AssemblyTitleAttribute("FSharp.Data.Http")>]
@@ -11,17 +10,8 @@ open System.Reflection
 do ()
 
 module internal AssemblyVersionInformation =
-    [<Literal>]
-    let AssemblyTitle = "FSharp.Data.Http"
-
-    [<Literal>]
-    let AssemblyProduct = "FSharp.Data"
-
-    [<Literal>]
-    let AssemblyDescription = "Library of F# type providers and data access tools"
-
-    [<Literal>]
-    let AssemblyVersion = "6.6.0.0"
-
-    [<Literal>]
-    let AssemblyFileVersion = "6.6.0.0"
+    let [<Literal>] AssemblyTitle = "FSharp.Data.Http"
+    let [<Literal>] AssemblyProduct = "FSharp.Data"
+    let [<Literal>] AssemblyDescription = "Library of F# type providers and data access tools"
+    let [<Literal>] AssemblyVersion = "6.6.0.0"
+    let [<Literal>] AssemblyFileVersion = "6.6.0.0"

src/AssemblyInfo.Json.Core.fs

@@ -1,6 +1,5 @@
 // Auto-Generated by FAKE; do not edit
 namespace System
-
 open System.Reflection
 
 [<assembly: AssemblyTitleAttribute("FSharp.Data.Json.Core")>]
@@ -11,17 +10,8 @@ open System.Reflection
 do ()
 
 module internal AssemblyVersionInformation =
-    [<Literal>]
-    let AssemblyTitle = "FSharp.Data.Json.Core"
-
-    [<Literal>]
-    let AssemblyProduct = "FSharp.Data"
-
-    [<Literal>]
-    let AssemblyDescription = "Library of F# type providers and data access tools"
-
-    [<Literal>]
-    let AssemblyVersion = "6.6.0.0"
-
-    [<Literal>]
-    let AssemblyFileVersion = "6.6.0.0"
+    let [<Literal>] AssemblyTitle = "FSharp.Data.Json.Core"
+    let [<Literal>] AssemblyProduct = "FSharp.Data"
+    let [<Literal>] AssemblyDescription = "Library of F# type providers and data access tools"
+    let [<Literal>] AssemblyVersion = "6.6.0.0"
+    let [<Literal>] AssemblyFileVersion = "6.6.0.0"

src/AssemblyInfo.Runtime.Utilities.fs

@@ -1,6 +1,5 @@
 // Auto-Generated by FAKE; do not edit
 namespace System
-
 open System.Reflection
 
 [<assembly: AssemblyTitleAttribute("FSharp.Data.Runtime.Utilities")>]
@@ -11,17 +10,8 @@ open System.Reflection
 do ()
 
 module internal AssemblyVersionInformation =
-    [<Literal>]
-    let AssemblyTitle = "FSharp.Data.Runtime.Utilities"
-
-    [<Literal>]
-    let AssemblyProduct = "FSharp.Data"
-
-    [<Literal>]
-    let AssemblyDescription = "Library of F# type providers and data access tools"
-
-    [<Literal>]
-    let AssemblyVersion = "6.6.0.0"
-
-    [<Literal>]
-    let AssemblyFileVersion = "6.6.0.0"
+    let [<Literal>] AssemblyTitle = "FSharp.Data.Runtime.Utilities"
+    let [<Literal>] AssemblyProduct = "FSharp.Data"
+    let [<Literal>] AssemblyDescription = "Library of F# type providers and data access tools"
+    let [<Literal>] AssemblyVersion = "6.6.0.0"
+    let [<Literal>] AssemblyFileVersion = "6.6.0.0"

src/AssemblyInfo.WorldBank.Core.fs

@@ -1,6 +1,5 @@
 // Auto-Generated by FAKE; do not edit
 namespace System
-
 open System.Reflection
 
 [<assembly: AssemblyTitleAttribute("FSharp.Data.WorldBank.Core")>]
@@ -11,17 +10,8 @@ open System.Reflection
 do ()
 
 module internal AssemblyVersionInformation =
-    [<Literal>]
-    let AssemblyTitle = "FSharp.Data.WorldBank.Core"
-
-    [<Literal>]
-    let AssemblyProduct = "FSharp.Data"
-
-    [<Literal>]
-    let AssemblyDescription = "Library of F# type providers and data access tools"
-
-    [<Literal>]
-    let AssemblyVersion = "6.6.0.0"
-
-    [<Literal>]
-    let AssemblyFileVersion = "6.6.0.0"
+    let [<Literal>] AssemblyTitle = "FSharp.Data.WorldBank.Core"
+    let [<Literal>] AssemblyProduct = "FSharp.Data"
+    let [<Literal>] AssemblyDescription = "Library of F# type providers and data access tools"
+    let [<Literal>] AssemblyVersion = "6.6.0.0"
+    let [<Literal>] AssemblyFileVersion = "6.6.0.0"

src/AssemblyInfo.Xml.Core.fs

@@ -1,6 +1,5 @@
 // Auto-Generated by FAKE; do not edit
 namespace System
-
 open System.Reflection
 
 [<assembly: AssemblyTitleAttribute("FSharp.Data.Xml.Core")>]
@@ -11,17 +10,8 @@ open System.Reflection
 do ()
 
 module internal AssemblyVersionInformation =
-    [<Literal>]
-    let AssemblyTitle = "FSharp.Data.Xml.Core"
-
-    [<Literal>]
-    let AssemblyProduct = "FSharp.Data"
-
-    [<Literal>]
-    let AssemblyDescription = "Library of F# type providers and data access tools"
-
-    [<Literal>]
-    let AssemblyVersion = "6.6.0.0"
-
-    [<Literal>]
-    let AssemblyFileVersion = "6.6.0.0"
+    let [<Literal>] AssemblyTitle = "FSharp.Data.Xml.Core"
+    let [<Literal>] AssemblyProduct = "FSharp.Data"
+    let [<Literal>] AssemblyDescription = "Library of F# type providers and data access tools"
+    let [<Literal>] AssemblyVersion = "6.6.0.0"
+    let [<Literal>] AssemblyFileVersion = "6.6.0.0"

src/AssemblyInfo.fs

@@ -1,6 +1,5 @@
 // Auto-Generated by FAKE; do not edit
 namespace System
-
 open System.Reflection
 
 [<assembly: AssemblyTitleAttribute("FSharp.Data")>]
@@ -11,17 +10,8 @@ open System.Reflection
 do ()
 
 module internal AssemblyVersionInformation =
-    [<Literal>]
-    let AssemblyTitle = "FSharp.Data"
-
-    [<Literal>]
-    let AssemblyProduct = "FSharp.Data"
-
-    [<Literal>]
-    let AssemblyDescription = "Library of F# type providers and data access tools"
-
-    [<Literal>]
-    let AssemblyVersion = "6.6.0.0"
-
-    [<Literal>]
-    let AssemblyFileVersion = "6.6.0.0"
+    let [<Literal>] AssemblyTitle = "FSharp.Data"
+    let [<Literal>] AssemblyProduct = "FSharp.Data"
+    let [<Literal>] AssemblyDescription = "Library of F# type providers and data access tools"
+    let [<Literal>] AssemblyVersion = "6.6.0.0"
+    let [<Literal>] AssemblyFileVersion = "6.6.0.0"

src/FSharp.Data.Xml.Core/XmlRuntime.fs

@@ -6,6 +6,7 @@ namespace FSharp.Data.Runtime.BaseTypes
 
 open System.ComponentModel
 open System.IO
+open System.Xml
 open System.Xml.Linq
 
 #nowarn "10001"
@@ -56,7 +57,16 @@ type XmlElement =
                                IsError = false)>]
     static member Create(reader: TextReader) =
         use reader = reader
-        let element = XDocument.Load(reader, LoadOptions.PreserveWhitespace).Root
+        // Secure XML parsing: disable DTD processing and external entities to prevent XXE attacks
+        let xmlReaderSettings =
+            new XmlReaderSettings(
+                DtdProcessing = DtdProcessing.Prohibit,
+                XmlResolver = null,
+                MaxCharactersFromEntities = 1024L * 1024L
+            ) // 1MB limit
+
+        use xmlReader = XmlReader.Create(reader, xmlReaderSettings)
+        let element = XDocument.Load(xmlReader, LoadOptions.PreserveWhitespace).Root
         { XElement = element }
 
     /// <exclude />
@@ -69,12 +79,26 @@ type XmlElement =
         use reader = reader
         let text = reader.ReadToEnd()
 
+        // Secure XML parsing: disable DTD processing and external entities to prevent XXE attacks
+        let xmlReaderSettings =
+            new XmlReaderSettings(
+                DtdProcessing = DtdProcessing.Prohibit,
+                XmlResolver = null,
+                MaxCharactersFromEntities = 1024L * 1024L
+            ) // 1MB limit
+
         try
-            XDocument.Parse(text, LoadOptions.PreserveWhitespace).Root.Elements()
+            use stringReader = new StringReader(text)
+            use xmlReader = XmlReader.Create(stringReader, xmlReaderSettings)
+
+            XDocument.Load(xmlReader, LoadOptions.PreserveWhitespace).Root.Elements()
             |> Seq.map (fun value -> { XElement = value })
             |> Seq.toArray
         with _ when text.TrimStart().StartsWith "<" ->
-            XDocument.Parse("<root>" + text + "</root>", LoadOptions.PreserveWhitespace).Root.Elements()
+            use stringReader = new StringReader("<root>" + text + "</root>")
+            use xmlReader = XmlReader.Create(stringReader, xmlReaderSettings)
+
+            XDocument.Load(xmlReader, LoadOptions.PreserveWhitespace).Root.Elements()
             |> Seq.map (fun value -> { XElement = value })
             |> Seq.toArray