We are doing security analysis of our code using veracode and its showing XXE flaw for below code, specifically where Deserialize() is invoked. How can we prevent serializer from accessing external entities. My attempt below is not working.
public
staticT DeserializeObject(stringxml,stringNamespace)
{
System.Xml.Serialization.
XmlSerializerserializer =newSystem.Xml.Serialization.XmlSerializer(typeof(T), Namespace);
MemoryStreamstream =
newMemoryStream(Encoding.Default.GetBytes(xml));
XmlReaderSettingssettings =newXmlReaderSettings();
// allow entity parsing but do so more safely
settings.DtdProcessing =
DtdProcessing.Ignore;
settings.XmlResolver =
null;
using(XmlReaderreader = XmlReader.Create(stream, settings))
{
returnserializer.Deserialize(reader)asT;
}
}