Skip to content

[Feature]: Harden XML parsing against XXE #29

Closed
Closed
[Feature]: Harden XML parsing against XXE#29
@samatstariongroup

Description

@samatstariongroup
samatstariongroup
opened on May 31, 2026

Prerequisites

  • I have written a descriptive issue title
  • I have verified that I am running the latest version of the EcoreNetto
  • I have searched open and closed issues to ensure it has not already been reported

Description

he Ecore parser creates an XmlReaderSettings with defaults and loads the document into an XmlDocument. DTD processing and external-entity resolution are not disabled, leaving the library open to XML External Entity (XXE) attacks and entity-expansion DoS when parsing untrusted .ecore files.

  • Affected files: ECoreNetto/ECoreParser.cs:84-91

  • Proposed solution: Configure the reader settings before creating the reader:

    var settings = new XmlReaderSettings
{
    DtdProcessing = DtdProcessing.Prohibit,
    XmlResolver = null
};

    Also set XmlResolver = null on the XmlDocument instance. Add a regression test that feeds a document with an external entity and asserts it does not resolve.

  • Acceptance criteria:

    • DtdProcessing is set to Prohibit (or Ignore) and XmlResolver is null on both the reader settings and the XmlDocument.
    • A test confirms an external-entity payload is not resolved/expanded.
    • Existing sample models (ecore, recipe, wizardEcore) still parse.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions