Skip to content

Change DtdProcessing.Parse to DtdProcessing.Prohibit in XML loading helpers#25268

Open
rolfbjarne wants to merge 1 commit intomainfrom
dev/rolf/dtd-processing-prohibit
Open

Change DtdProcessing.Parse to DtdProcessing.Prohibit in XML loading helpers#25268
rolfbjarne wants to merge 1 commit intomainfrom
dev/rolf/dtd-processing-prohibit

Conversation

@rolfbjarne
Copy link
Copy Markdown
Member

@rolfbjarne rolfbjarne commented Apr 28, 2026

Multiple XML loading helpers use DtdProcessing.Parse, which enables inline DTD processing and opens a vector for entity expansion DoS ("billion laughs"). While XmlResolver = null prevents external entity resolution, inline DTDs are still processed. Apple plist files declare a DTD but don't depend on DTD processing for correctness.

This PR changes DtdProcessing.Parse to DtdProcessing.Prohibit in all affected locations:

  • tools/common/PListExtensions.cs — 2 occurrences (file and string overloads)
  • src/bgen/Extensions/ExtensionMethods.cs — 1 occurrence
  • tests/cecil-tests/Helper.cs — 1 occurrence
  • tests/mtouch/MTouch.cs — 1 occurrence
  • tests/common/ProductTests.cs — 1 occurrence

🤖 Pull request created by Copilot

@rolfbjarne
Change DtdProcessing.Parse to DtdProcessing.Prohibit
185a42d 
Prevents inline DTD processing (entity expansion DoS vector) in XML
loading helpers. Apple plist files declare a DTD but don't depend on
DTD processing for correctness.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings April 28, 2026 08:19
@rolfbjarne rolfbjarne marked this pull request as draft April 28, 2026 08:20
@vs-mobiletools-engineering-service2

This comment has been minimized.

Sign in to view
@vs-mobiletools-engineering-service2

This comment has been minimized.

Sign in to view
@vs-mobiletools-engineering-service2

This comment has been minimized.

Sign in to view
@vs-mobiletools-engineering-service2

This comment has been minimized.

Sign in to view
@vs-mobiletools-engineering-service2

This comment has been minimized.

Sign in to view
@vs-mobiletools-engineering-service2

This comment has been minimized.

Sign in to view
@vs-mobiletools-engineering-service2

This comment has been minimized.

Sign in to view
@vs-mobiletools-engineering-service2

This comment has been minimized.

Sign in to view
@vs-mobiletools-engineering-service2

This comment has been minimized.

Sign in to view
@vs-mobiletools-engineering-service2

This comment has been minimized.

Sign in to view
@vs-mobiletools-engineering-service2

This comment has been minimized.

Sign in to view
@rolfbjarne rolfbjarne marked this pull request as ready for review April 29, 2026 08:50
@vs-mobiletools-engineering-service2
Copy link
Copy Markdown
Collaborator

vs-mobiletools-engineering-service2 commented Apr 29, 2026

✅ [PR Build #185a42d] Build passed (Build packages) ✅

Pipeline on Agent
Hash: 185a42dc2125819dd89c4793d3aab4c00ce55bf3 [PR build]

@vs-mobiletools-engineering-service2
Copy link
Copy Markdown
Collaborator

vs-mobiletools-engineering-service2 commented Apr 29, 2026

✅ [PR Build #185a42d] Build passed (Detect API changes) ✅

Pipeline on Agent
Hash: 185a42dc2125819dd89c4793d3aab4c00ce55bf3 [PR build]

@vs-mobiletools-engineering-service2
Copy link
Copy Markdown
Collaborator

vs-mobiletools-engineering-service2 commented Apr 29, 2026

✅ API diff for current PR / commit

NET (empty diffs)

✅ API diff vs stable

NET (empty diffs)

ℹ️ Generator diff

Generator Diff: vsdrops (html) vsdrops (raw diff) gist (raw diff) - Please review changes)

Pipeline on Agent
Hash: 185a42dc2125819dd89c4793d3aab4c00ce55bf3 [PR build]

@vs-mobiletools-engineering-service2
Copy link
Copy Markdown
Collaborator

vs-mobiletools-engineering-service2 commented Apr 29, 2026

✅ [CI Build #185a42d] Build passed (Build macOS tests) ✅

Pipeline on Agent
Hash: 185a42dc2125819dd89c4793d3aab4c00ce55bf3 [PR build]

@vs-mobiletools-engineering-service2

This comment has been minimized.

Sign in to view
@vs-mobiletools-engineering-service2
Copy link
Copy Markdown
Collaborator

vs-mobiletools-engineering-service2 commented Apr 29, 2026

🚀 [CI Build #185a42d] Test results 🚀

Test results

✅ All tests passed on VSTS: test results.

🎉 All 156 tests passed 🎉

Tests counts

✅ cecil: All 1 tests passed. Html Report (VSDrops) Download
✅ dotnettests (iOS): All 1 tests passed. Html Report (VSDrops) Download
✅ dotnettests (MacCatalyst): All 1 tests passed. Html Report (VSDrops) Download
✅ dotnettests (macOS): All 1 tests passed. Html Report (VSDrops) Download
✅ dotnettests (Multiple platforms): All 1 tests passed. Html Report (VSDrops) Download
✅ dotnettests (tvOS): All 1 tests passed. Html Report (VSDrops) Download
✅ framework: All 2 tests passed. Html Report (VSDrops) Download
✅ fsharp: All 4 tests passed. Html Report (VSDrops) Download
✅ generator: All 5 tests passed. Html Report (VSDrops) Download
✅ interdependent-binding-projects: All 4 tests passed. Html Report (VSDrops) Download
✅ introspection: All 6 tests passed. Html Report (VSDrops) Download
✅ linker: All 44 tests passed. Html Report (VSDrops) Download
✅ monotouch (iOS): All 11 tests passed. Html Report (VSDrops) Download
✅ monotouch (MacCatalyst): All 15 tests passed. Html Report (VSDrops) Download
✅ monotouch (macOS): All 12 tests passed. Html Report (VSDrops) Download
✅ monotouch (tvOS): All 11 tests passed. Html Report (VSDrops) Download
✅ msbuild: All 2 tests passed. Html Report (VSDrops) Download
✅ sharpie: All 1 tests passed. Html Report (VSDrops) Download
✅ windows: All 3 tests passed. Html Report (VSDrops) Download
✅ xcframework: All 4 tests passed. Html Report (VSDrops) Download
✅ xtro: All 1 tests passed. Html Report (VSDrops) Download

macOS tests

✅ Tests on macOS Monterey (12): All 5 tests passed. Html Report (VSDrops) Download
✅ Tests on macOS Ventura (13): All 5 tests passed. Html Report (VSDrops) Download
✅ Tests on macOS Sonoma (14): All 5 tests passed. Html Report (VSDrops) Download
✅ Tests on macOS Sequoia (15): All 5 tests passed. Html Report (VSDrops) Download
✅ Tests on macOS Tahoe (26): All 5 tests passed. Html Report (VSDrops) Download

Linux Build Verification

Linux build succeeded

Pipeline on Agent
Hash: 185a42dc2125819dd89c4793d3aab4c00ce55bf3 [PR build]

@rolfbjarne rolfbjarne enabled auto-merge (squash) April 30, 2026 09:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dalexsoto dalexsoto dalexsoto approved these changes

Copilot code review Copilot Awaiting requested review from Copilot

Assignees

No one assigned

Labels

copilot

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rolfbjarne @vs-mobiletools-engineering-service2 @dalexsoto