From da72f22404c38d0b0696a802add461a1163c672a Mon Sep 17 00:00:00 2001 From: Tuomas Hietanen Date: Tue, 28 Oct 2025 08:38:48 +0000 Subject: [PATCH 1/2] Potential XXE vulnerability fix. --- src/FSharp.Data.Xml.Core/XmlRuntime.fs | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/src/FSharp.Data.Xml.Core/XmlRuntime.fs b/src/FSharp.Data.Xml.Core/XmlRuntime.fs index bc7fb3844..8800867df 100644 --- a/src/FSharp.Data.Xml.Core/XmlRuntime.fs +++ b/src/FSharp.Data.Xml.Core/XmlRuntime.fs @@ -6,6 +6,7 @@ namespace FSharp.Data.Runtime.BaseTypes open System.ComponentModel open System.IO +open System.Xml open System.Xml.Linq #nowarn "10001" @@ -56,7 +57,14 @@ type XmlElement = IsError = false)>] static member Create(reader: TextReader) = use reader = reader - let element = XDocument.Load(reader, LoadOptions.PreserveWhitespace).Root + // Secure XML parsing: disable DTD processing and external entities to prevent XXE attacks + let xmlReaderSettings = + new XmlReaderSettings( + DtdProcessing = DtdProcessing.Prohibit, + XmlResolver = null, + MaxCharactersFromEntities = 1024L * 1024L) // 1MB limit + use xmlReader = XmlReader.Create(reader, xmlReaderSettings) + let element = XDocument.Load(xmlReader, LoadOptions.PreserveWhitespace).Root { XElement = element } /// @@ -69,12 +77,23 @@ type XmlElement = use reader = reader let text = reader.ReadToEnd() + // Secure XML parsing: disable DTD processing and external entities to prevent XXE attacks + let xmlReaderSettings = + new XmlReaderSettings( + DtdProcessing = DtdProcessing.Prohibit, + XmlResolver = null, + MaxCharactersFromEntities = 1024L * 1024L) // 1MB limit + try - XDocument.Parse(text, LoadOptions.PreserveWhitespace).Root.Elements() + use stringReader = new StringReader(text) + use xmlReader = XmlReader.Create(stringReader, xmlReaderSettings) + XDocument.Load(xmlReader, LoadOptions.PreserveWhitespace).Root.Elements() |> Seq.map (fun value -> { XElement = value }) |> Seq.toArray with _ when text.TrimStart().StartsWith "<" -> - XDocument.Parse("" + text + "", LoadOptions.PreserveWhitespace).Root.Elements() + use stringReader = new StringReader("" + text + "") + use xmlReader = XmlReader.Create(stringReader, xmlReaderSettings) + XDocument.Load(xmlReader, LoadOptions.PreserveWhitespace).Root.Elements() |> Seq.map (fun value -> { XElement = value }) |> Seq.toArray From 529c747338e57ee2305ddda724ed03cd06aababd Mon Sep 17 00:00:00 2001 From: Tuomas Hietanen Date: Tue, 28 Oct 2025 09:13:20 +0000 Subject: [PATCH 2/2] mandatory Fantomas commit --- src/AssemblyInfo.Csv.Core.fs | 20 +++++--------------- src/AssemblyInfo.DesignTime.fs | 20 +++++--------------- src/AssemblyInfo.Html.Core.fs | 20 +++++--------------- src/AssemblyInfo.Http.fs | 20 +++++--------------- src/AssemblyInfo.Json.Core.fs | 20 +++++--------------- src/AssemblyInfo.Runtime.Utilities.fs | 20 +++++--------------- src/AssemblyInfo.WorldBank.Core.fs | 20 +++++--------------- src/AssemblyInfo.Xml.Core.fs | 20 +++++--------------- src/AssemblyInfo.fs | 20 +++++--------------- src/FSharp.Data.Xml.Core/XmlRuntime.fs | 13 +++++++++---- 10 files changed, 54 insertions(+), 139 deletions(-) diff --git a/src/AssemblyInfo.Csv.Core.fs b/src/AssemblyInfo.Csv.Core.fs index 888e73cc7..e5282ab0e 100644 --- a/src/AssemblyInfo.Csv.Core.fs +++ b/src/AssemblyInfo.Csv.Core.fs @@ -1,6 +1,5 @@ // Auto-Generated by FAKE; do not edit namespace System - open System.Reflection [] @@ -11,17 +10,8 @@ open System.Reflection do () module internal AssemblyVersionInformation = - [] - let AssemblyTitle = "FSharp.Data.Csv.Core" - - [] - let AssemblyProduct = "FSharp.Data" - - [] - let AssemblyDescription = "Library of F# type providers and data access tools" - - [] - let AssemblyVersion = "6.6.0.0" - - [] - let AssemblyFileVersion = "6.6.0.0" + let [] AssemblyTitle = "FSharp.Data.Csv.Core" + let [] AssemblyProduct = "FSharp.Data" + let [] AssemblyDescription = "Library of F# type providers and data access tools" + let [] AssemblyVersion = "6.6.0.0" + let [] AssemblyFileVersion = "6.6.0.0" diff --git a/src/AssemblyInfo.DesignTime.fs b/src/AssemblyInfo.DesignTime.fs index 3aad23dfc..1c6932de9 100644 --- a/src/AssemblyInfo.DesignTime.fs +++ b/src/AssemblyInfo.DesignTime.fs @@ -1,6 +1,5 @@ // Auto-Generated by FAKE; do not edit namespace System - open System.Reflection [] @@ -11,17 +10,8 @@ open System.Reflection do () module internal AssemblyVersionInformation = - [] - let AssemblyTitle = "FSharp.Data.DesignTime" - - [] - let AssemblyProduct = "FSharp.Data" - - [] - let AssemblyDescription = "Library of F# type providers and data access tools" - - [] - let AssemblyVersion = "6.6.0.0" - - [] - let AssemblyFileVersion = "6.6.0.0" + let [] AssemblyTitle = "FSharp.Data.DesignTime" + let [] AssemblyProduct = "FSharp.Data" + let [] AssemblyDescription = "Library of F# type providers and data access tools" + let [] AssemblyVersion = "6.6.0.0" + let [] AssemblyFileVersion = "6.6.0.0" diff --git a/src/AssemblyInfo.Html.Core.fs b/src/AssemblyInfo.Html.Core.fs index c5af74d43..6d9977aa8 100644 --- a/src/AssemblyInfo.Html.Core.fs +++ b/src/AssemblyInfo.Html.Core.fs @@ -1,6 +1,5 @@ // Auto-Generated by FAKE; do not edit namespace System - open System.Reflection [] @@ -11,17 +10,8 @@ open System.Reflection do () module internal AssemblyVersionInformation = - [] - let AssemblyTitle = "FSharp.Data.Html.Core" - - [] - let AssemblyProduct = "FSharp.Data" - - [] - let AssemblyDescription = "Library of F# type providers and data access tools" - - [] - let AssemblyVersion = "6.6.0.0" - - [] - let AssemblyFileVersion = "6.6.0.0" + let [] AssemblyTitle = "FSharp.Data.Html.Core" + let [] AssemblyProduct = "FSharp.Data" + let [] AssemblyDescription = "Library of F# type providers and data access tools" + let [] AssemblyVersion = "6.6.0.0" + let [] AssemblyFileVersion = "6.6.0.0" diff --git a/src/AssemblyInfo.Http.fs b/src/AssemblyInfo.Http.fs index d622309cb..e7bf4bb51 100644 --- a/src/AssemblyInfo.Http.fs +++ b/src/AssemblyInfo.Http.fs @@ -1,6 +1,5 @@ // Auto-Generated by FAKE; do not edit namespace System - open System.Reflection [] @@ -11,17 +10,8 @@ open System.Reflection do () module internal AssemblyVersionInformation = - [] - let AssemblyTitle = "FSharp.Data.Http" - - [] - let AssemblyProduct = "FSharp.Data" - - [] - let AssemblyDescription = "Library of F# type providers and data access tools" - - [] - let AssemblyVersion = "6.6.0.0" - - [] - let AssemblyFileVersion = "6.6.0.0" + let [] AssemblyTitle = "FSharp.Data.Http" + let [] AssemblyProduct = "FSharp.Data" + let [] AssemblyDescription = "Library of F# type providers and data access tools" + let [] AssemblyVersion = "6.6.0.0" + let [] AssemblyFileVersion = "6.6.0.0" diff --git a/src/AssemblyInfo.Json.Core.fs b/src/AssemblyInfo.Json.Core.fs index b9c0ebccb..dc058f775 100644 --- a/src/AssemblyInfo.Json.Core.fs +++ b/src/AssemblyInfo.Json.Core.fs @@ -1,6 +1,5 @@ // Auto-Generated by FAKE; do not edit namespace System - open System.Reflection [] @@ -11,17 +10,8 @@ open System.Reflection do () module internal AssemblyVersionInformation = - [] - let AssemblyTitle = "FSharp.Data.Json.Core" - - [] - let AssemblyProduct = "FSharp.Data" - - [] - let AssemblyDescription = "Library of F# type providers and data access tools" - - [] - let AssemblyVersion = "6.6.0.0" - - [] - let AssemblyFileVersion = "6.6.0.0" + let [] AssemblyTitle = "FSharp.Data.Json.Core" + let [] AssemblyProduct = "FSharp.Data" + let [] AssemblyDescription = "Library of F# type providers and data access tools" + let [] AssemblyVersion = "6.6.0.0" + let [] AssemblyFileVersion = "6.6.0.0" diff --git a/src/AssemblyInfo.Runtime.Utilities.fs b/src/AssemblyInfo.Runtime.Utilities.fs index 6369e3d64..3005f3d95 100644 --- a/src/AssemblyInfo.Runtime.Utilities.fs +++ b/src/AssemblyInfo.Runtime.Utilities.fs @@ -1,6 +1,5 @@ // Auto-Generated by FAKE; do not edit namespace System - open System.Reflection [] @@ -11,17 +10,8 @@ open System.Reflection do () module internal AssemblyVersionInformation = - [] - let AssemblyTitle = "FSharp.Data.Runtime.Utilities" - - [] - let AssemblyProduct = "FSharp.Data" - - [] - let AssemblyDescription = "Library of F# type providers and data access tools" - - [] - let AssemblyVersion = "6.6.0.0" - - [] - let AssemblyFileVersion = "6.6.0.0" + let [] AssemblyTitle = "FSharp.Data.Runtime.Utilities" + let [] AssemblyProduct = "FSharp.Data" + let [] AssemblyDescription = "Library of F# type providers and data access tools" + let [] AssemblyVersion = "6.6.0.0" + let [] AssemblyFileVersion = "6.6.0.0" diff --git a/src/AssemblyInfo.WorldBank.Core.fs b/src/AssemblyInfo.WorldBank.Core.fs index 17eaa1171..7cf434b3d 100644 --- a/src/AssemblyInfo.WorldBank.Core.fs +++ b/src/AssemblyInfo.WorldBank.Core.fs @@ -1,6 +1,5 @@ // Auto-Generated by FAKE; do not edit namespace System - open System.Reflection [] @@ -11,17 +10,8 @@ open System.Reflection do () module internal AssemblyVersionInformation = - [] - let AssemblyTitle = "FSharp.Data.WorldBank.Core" - - [] - let AssemblyProduct = "FSharp.Data" - - [] - let AssemblyDescription = "Library of F# type providers and data access tools" - - [] - let AssemblyVersion = "6.6.0.0" - - [] - let AssemblyFileVersion = "6.6.0.0" + let [] AssemblyTitle = "FSharp.Data.WorldBank.Core" + let [] AssemblyProduct = "FSharp.Data" + let [] AssemblyDescription = "Library of F# type providers and data access tools" + let [] AssemblyVersion = "6.6.0.0" + let [] AssemblyFileVersion = "6.6.0.0" diff --git a/src/AssemblyInfo.Xml.Core.fs b/src/AssemblyInfo.Xml.Core.fs index 8f71377c6..6ee2e054b 100644 --- a/src/AssemblyInfo.Xml.Core.fs +++ b/src/AssemblyInfo.Xml.Core.fs @@ -1,6 +1,5 @@ // Auto-Generated by FAKE; do not edit namespace System - open System.Reflection [] @@ -11,17 +10,8 @@ open System.Reflection do () module internal AssemblyVersionInformation = - [] - let AssemblyTitle = "FSharp.Data.Xml.Core" - - [] - let AssemblyProduct = "FSharp.Data" - - [] - let AssemblyDescription = "Library of F# type providers and data access tools" - - [] - let AssemblyVersion = "6.6.0.0" - - [] - let AssemblyFileVersion = "6.6.0.0" + let [] AssemblyTitle = "FSharp.Data.Xml.Core" + let [] AssemblyProduct = "FSharp.Data" + let [] AssemblyDescription = "Library of F# type providers and data access tools" + let [] AssemblyVersion = "6.6.0.0" + let [] AssemblyFileVersion = "6.6.0.0" diff --git a/src/AssemblyInfo.fs b/src/AssemblyInfo.fs index 6f77a7564..fa95cbef3 100644 --- a/src/AssemblyInfo.fs +++ b/src/AssemblyInfo.fs @@ -1,6 +1,5 @@ // Auto-Generated by FAKE; do not edit namespace System - open System.Reflection [] @@ -11,17 +10,8 @@ open System.Reflection do () module internal AssemblyVersionInformation = - [] - let AssemblyTitle = "FSharp.Data" - - [] - let AssemblyProduct = "FSharp.Data" - - [] - let AssemblyDescription = "Library of F# type providers and data access tools" - - [] - let AssemblyVersion = "6.6.0.0" - - [] - let AssemblyFileVersion = "6.6.0.0" + let [] AssemblyTitle = "FSharp.Data" + let [] AssemblyProduct = "FSharp.Data" + let [] AssemblyDescription = "Library of F# type providers and data access tools" + let [] AssemblyVersion = "6.6.0.0" + let [] AssemblyFileVersion = "6.6.0.0" diff --git a/src/FSharp.Data.Xml.Core/XmlRuntime.fs b/src/FSharp.Data.Xml.Core/XmlRuntime.fs index 8800867df..dbabc040d 100644 --- a/src/FSharp.Data.Xml.Core/XmlRuntime.fs +++ b/src/FSharp.Data.Xml.Core/XmlRuntime.fs @@ -58,11 +58,13 @@ type XmlElement = static member Create(reader: TextReader) = use reader = reader // Secure XML parsing: disable DTD processing and external entities to prevent XXE attacks - let xmlReaderSettings = + let xmlReaderSettings = new XmlReaderSettings( DtdProcessing = DtdProcessing.Prohibit, XmlResolver = null, - MaxCharactersFromEntities = 1024L * 1024L) // 1MB limit + MaxCharactersFromEntities = 1024L * 1024L + ) // 1MB limit + use xmlReader = XmlReader.Create(reader, xmlReaderSettings) let element = XDocument.Load(xmlReader, LoadOptions.PreserveWhitespace).Root { XElement = element } @@ -78,21 +80,24 @@ type XmlElement = let text = reader.ReadToEnd() // Secure XML parsing: disable DTD processing and external entities to prevent XXE attacks - let xmlReaderSettings = + let xmlReaderSettings = new XmlReaderSettings( DtdProcessing = DtdProcessing.Prohibit, XmlResolver = null, - MaxCharactersFromEntities = 1024L * 1024L) // 1MB limit + MaxCharactersFromEntities = 1024L * 1024L + ) // 1MB limit try use stringReader = new StringReader(text) use xmlReader = XmlReader.Create(stringReader, xmlReaderSettings) + XDocument.Load(xmlReader, LoadOptions.PreserveWhitespace).Root.Elements() |> Seq.map (fun value -> { XElement = value }) |> Seq.toArray with _ when text.TrimStart().StartsWith "<" -> use stringReader = new StringReader("" + text + "") use xmlReader = XmlReader.Create(stringReader, xmlReaderSettings) + XDocument.Load(xmlReader, LoadOptions.PreserveWhitespace).Root.Elements() |> Seq.map (fun value -> { XElement = value }) |> Seq.toArray