From 399412274793a7b28b9c37c9a0a79163bb80fab9 Mon Sep 17 00:00:00 2001
From: dauinsight <145612907+dauinsight@users.noreply.github.com>
Date: Wed, 8 May 2024 09:28:59 -0700
Subject: [PATCH] SDL | Changing ReadXml to a more secure overload. (#2147)
 (#2490)

Co-authored-by: Javad <v-jarahn@microsoft.com>
---
 .../Microsoft/Data/ProviderBase/DbMetaDataFactory.cs   | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/Microsoft.Data.SqlClient/src/Microsoft/Data/ProviderBase/DbMetaDataFactory.cs b/src/Microsoft.Data.SqlClient/src/Microsoft/Data/ProviderBase/DbMetaDataFactory.cs
index 6e907d26e1..c3c34c702b 100644
--- a/src/Microsoft.Data.SqlClient/src/Microsoft/Data/ProviderBase/DbMetaDataFactory.cs
+++ b/src/Microsoft.Data.SqlClient/src/Microsoft/Data/ProviderBase/DbMetaDataFactory.cs
@@ -9,6 +9,7 @@
 using System.Diagnostics;
 using System.Globalization;
 using System.IO;
+using System.Xml;
 
 namespace Microsoft.Data.ProviderBase
 {
@@ -499,9 +500,14 @@ private void LoadDataSetFromXml(Stream XmlStream)
         {
             _metaDataCollectionsDataSet = new DataSet
             {
-                Locale = System.Globalization.CultureInfo.InvariantCulture
+                Locale = CultureInfo.InvariantCulture
+            };
+            XmlReaderSettings settings = new()
+            {
+                XmlResolver = null
             };
-            _metaDataCollectionsDataSet.ReadXml(XmlStream);
+            using XmlReader reader = XmlReader.Create(XmlStream, settings);
+            _metaDataCollectionsDataSet.ReadXml(reader);
         }
 
         protected virtual DataTable PrepareCollection(string collectionName, string[] restrictions, DbConnection connection)