Potential XXE vulnerability fix.

Thorium · Thorium · commit da72f22404c3 · 2025-10-28T08:38:48.000Z
diff --git a/src/FSharp.Data.Xml.Core/XmlRuntime.fs b/src/FSharp.Data.Xml.Core/XmlRuntime.fs
@@ -6,6 +6,7 @@ namespace FSharp.Data.Runtime.BaseTypes
 
 open System.ComponentModel
 open System.IO
+open System.Xml
 open System.Xml.Linq
 
 #nowarn "10001"
@@ -56,7 +57,14 @@ type XmlElement =
                                IsError = false)>]
     static member Create(reader: TextReader) =
         use reader = reader
-        let element = XDocument.Load(reader, LoadOptions.PreserveWhitespace).Root
+        // Secure XML parsing: disable DTD processing and external entities to prevent XXE attacks
+        let xmlReaderSettings = 
+            new XmlReaderSettings(
+                DtdProcessing = DtdProcessing.Prohibit,
+                XmlResolver = null,
+                MaxCharactersFromEntities = 1024L * 1024L) // 1MB limit
+        use xmlReader = XmlReader.Create(reader, xmlReaderSettings)
+        let element = XDocument.Load(xmlReader, LoadOptions.PreserveWhitespace).Root
         { XElement = element }
 
     /// <exclude />
@@ -69,12 +77,23 @@ type XmlElement =
         use reader = reader
         let text = reader.ReadToEnd()
 
+        // Secure XML parsing: disable DTD processing and external entities to prevent XXE attacks
+        let xmlReaderSettings = 
+            new XmlReaderSettings(
+                DtdProcessing = DtdProcessing.Prohibit,
+                XmlResolver = null,
+                MaxCharactersFromEntities = 1024L * 1024L) // 1MB limit
+
         try
-            XDocument.Parse(text, LoadOptions.PreserveWhitespace).Root.Elements()
+            use stringReader = new StringReader(text)
+            use xmlReader = XmlReader.Create(stringReader, xmlReaderSettings)
+            XDocument.Load(xmlReader, LoadOptions.PreserveWhitespace).Root.Elements()
             |> Seq.map (fun value -> { XElement = value })
             |> Seq.toArray
         with _ when text.TrimStart().StartsWith "<" ->
-            XDocument.Parse("<root>" + text + "</root>", LoadOptions.PreserveWhitespace).Root.Elements()
+            use stringReader = new StringReader("<root>" + text + "</root>")
+            use xmlReader = XmlReader.Create(stringReader, xmlReaderSettings)
+            XDocument.Load(xmlReader, LoadOptions.PreserveWhitespace).Root.Elements()
             |> Seq.map (fun value -> { XElement = value })
             |> Seq.toArray
 
