Merge pull request #1657 from AzureAD/xiao/fixDTD

Fix insecure DTD processing

test/Microsoft.IdentityModel.TestUtils/XmlUtilities.cs

@@ -47,7 +47,7 @@ public static XmlReader CreateXmlReader(string xml)
             if (string.IsNullOrEmpty(xml))
                 return null;
 
-            return new XmlTextReader(new StringReader(xml));
+            return XmlReader.Create(new StringReader(xml), new XmlReaderSettings() { XmlResolver = null });
         }
 
         /// <summary>

test/Microsoft.IdentityModel.Tokens.Saml.Tests/SamlSecurityTokenHandlerTests.cs

@@ -226,7 +226,7 @@ public static TheoryData<SamlTheoryData> ReadTokenTheoryData
                         Handler = new SamlSecurityTokenHandler(),
                         TestId = nameof(ReferenceTokens.SamlToken_Valid),
                         Token = ReferenceTokens.SamlToken_Valid,
-                        XmlReader = new XmlTextReader(new StringReader(ReferenceTokens.SamlToken_Valid))
+                        XmlReader = XmlReader.Create(new StringReader(ReferenceTokens.SamlToken_Valid), new XmlReaderSettings() { XmlResolver = null })
                     }
                 };
             }

test/Microsoft.IdentityModel.Xml.Tests/ReferenceTests.cs

@@ -90,9 +90,9 @@ public void VerifyReference()
             //var saml2 = @"<saml:Assertion MajorVersion=""1"" MinorVersion=""1"" AssertionID=""_e35fc6da-147e-428e-8c71-fb32867598ab"" Issuer=""http://sts.sub2.fracas365.msftonlinerepro.com/adfs/services/trust"" IssueInstant=""2017-05-08T14:57:58.348Z"" xmlns:saml=""urn:oasis:names:tc:SAML:1.0:assertion""><saml:Conditions NotBefore=""2017-05-08T14:57:58.348Z"" NotOnOrAfter=""2017-05-08T15:57:58.348Z""><saml:AudienceRestrictionCondition><saml:Audience>https://app1.sub2.fracas365.msftonlinerepro.com/sampapp/</saml:Audience></saml:AudienceRestrictionCondition></saml:Conditions><saml:AttributeStatement><saml:Subject><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject><saml:Attribute AttributeName=""upn"" AttributeNamespace=""http://schemas.xmlsoap.org/ws/2005/05/identity/claims""><saml:AttributeValue>killer@sub2.fracas365.msftonlinerepro.com</saml:AttributeValue></saml:Attribute><saml:Attribute AttributeName=""x-ms-endpoint-absolute-path"" AttributeNamespace=""http://schemas.microsoft.com/2012/01/requestcontext/claims"" a:OriginalIssuer=""CLIENT CONTEXT"" xmlns:a=""http://schemas.xmlsoap.org/ws/2009/09/identity/claims""><saml:AttributeValue>/adfs/ls/wia</saml:AttributeValue></saml:Attribute><saml:Attribute AttributeName=""x-ms-client-ip"" AttributeNamespace=""http://schemas.microsoft.com/2012/01/requestcontext/claims"" a:OriginalIssuer=""CLIENT CONTEXT"" xmlns:a=""http://schemas.xmlsoap.org/ws/2009/09/identity/claims""><saml:AttributeValue>172.15.0.67</saml:AttributeValue></saml:Attribute><saml:Attribute AttributeName=""primarygroupsid"" AttributeNamespace=""http://schemas.microsoft.com/ws/2008/06/identity/claims""><saml:AttributeValue>S-1-5-21-487734988-61580006-1080473273-513</saml:AttributeValue></saml:Attribute><saml:Attribute AttributeName=""authnmethodsreferences"" AttributeNamespace=""http://schemas.microsoft.com/claims""><saml:AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows</saml:AttributeValue></saml:Attribute><saml:Attribute AttributeName=""windowsaccountname"" AttributeNamespace=""http://schemas.microsoft.com/ws/2008/06/identity/claims""><saml:AttributeValue>FRACAS-O365\killer</saml:AttributeValue></saml:Attribute><saml:Attribute AttributeName=""streetAddress"" AttributeNamespace=""http://schemas.xmlsoap.org/ws/2005/05/identity/claims""><saml:AttributeValue>street&#xD;\nwith&#xD;\nreturn</saml:AttributeValue></saml:Attribute></saml:AttributeStatement><saml:AuthenticationStatement AuthenticationMethod=""urn:federation:authentication:windows"" AuthenticationInstant=""2017-05-08T14:57:58.333Z""><saml:Subject><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement><ds:Signature xmlns:ds=""http://www.w3.org/2000/09/xmldsig#""><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=""http://www.w3.org/2001/10/xml-exc-c14n#"" /><ds:SignatureMethod Algorithm=""http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"" /><ds:Reference URI=""#_e35fc6da-147e-428e-8c71-fb32867598ab""><ds:Transforms><ds:Transform Algorithm=""http://www.w3.org/2000/09/xmldsig#enveloped-signature"" /><ds:Transform Algorithm=""http://www.w3.org/2001/10/xml-exc-c14n#"" /></ds:Transforms><ds:DigestMethod Algorithm=""http://www.w3.org/2001/04/xmlenc#sha256"" /><ds:DigestValue>F/TMfVx/lEtqy4aGBzMyKPj/b5iyaEH9WyhUJ1EA724=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>RY27lz0BoNkWK+67gBdIFaLb2EzIcT3uKq+UTQhg1bRv6TewJScnEkhYCA4qqKEzjWgGBnkBsDfeZ44qLwvi5h1Q4S/cmY2i9eOeZnb63BosXSEzLLkhV4wT2sWy9og5EMB3IGAH5W/qjoPJybO8CMrHpwRC5YR81KsXO0O+8n2U/tih9vHd4ddxnJ1upTopcAhs5jYLVQc1pqtCZxA0EGsrpQaQFUGDggc/bhihCe4p87ppBN8CRE/zfKQYjRR1UL4dvQLDRNE+b+aeE5TIDomekgY7U2ai6NQYkJm+8lhz9824rJp8HqeMZ/77VsbpnH5i7OcOaXhXWIBBmE86eQ==</ds:SignatureValue><KeyInfo xmlns=""http://www.w3.org/2000/09/xmldsig#""><X509Data><X509Certificate>MIIDCDCCAfCgAwIBAgIQNz4YVbYAIJVFCc47HFD3RzANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDEzVBREZTIFNpZ25pbmcgLSBzdHMuc3ViMi5mcmFjYXMzNjUubXNmdG9ubGluZXJlcHJvLmNvbTAeFw0xNTAzMzExMDQyMTNaFw0zNDA1MzAxMDQyMTNaMEAxPjA8BgNVBAMTNUFERlMgU2lnbmluZyAtIHN0cy5zdWIyLmZyYWNhczM2NS5tc2Z0b25saW5lcmVwcm8uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxdjzB+wGV6hYekOvWwKoL/DFNBiLQsLx6w02FzcFnpGwR38gVTn/glg9CNSsOT0riRM3/MwU8o2fwseQyVtv9Kee/yvia8cB6GD0CARlYizb6GkJJzMvWkPSas1zpn10Bs3SBBgn0pvAKZCWWir5WJ7DRY32X2yo2do8mQftsoLGYsEU8+jj9AMYQWaR3A86AEWjXoQY3AodfMMzdVFX+O/kjsvKcBfPqGRT6jUSGBOOaqzMOJBT39SueD8zePDW7SejBl7fRi4TLx5H6xuMldOAAH6oD70yIrobqosGG9X/LdijHajMSoaYzZIlG7fl4PCVvAjh1Dytw/y8K70flQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBy08dAsSTKd2YlNE8bM4O5C2bFKR1YakR8L/zLEy8g+RNsKN5V/cIll0b/tf9iQ5464nc+nM///U+UVxqT8ipeR7ThIPwuWX98cFZFQNNGkha4PaYap/osquEpRAJOcTqZf2K95ipeQ+5Hhw00mK0hcV1QT/7maTUqCHDfBCaD+uYAFvaNBXOYpdoIGM9cMk7Qjc/yowLDm+DpmJek54MWmN+iZ0YtDEhMSh//QPFMLPT5Ucat+qRTen1HZNGdxfZ7NIIDL3dNKVDN+vDUbW7rjvPyxA8Rtj4JplI9ENqpzRq4m1sDWUTk2hJYw9Ec1kGo7AFKRmOS6DRbwUn5Ptdc</X509Certificate></X509Data></KeyInfo></ds:Signature></saml:Assertion>";
             envelopedReader = XmlUtilities.CreateEnvelopedSignatureReader(saml2);
             var doc2 = new XmlDocument();
-            doc2.LoadXml(saml2);
+            doc2.Load(XmlReader.Create(new System.IO.StringReader(saml2), new XmlReaderSettings() { XmlResolver = null }));
             var doc1 = new XmlDocument();
-            doc1.LoadXml(saml1);
+            doc1.Load(XmlReader.Create(new System.IO.StringReader(saml1), new XmlReaderSettings() { XmlResolver = null }));
             while (envelopedReader.Read()) ;
             try
             {