Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

replaced stream with memoryStream for reading the message. #1027

Merged
merged 12 commits into from
Feb 28, 2024
Merged

replaced stream with memoryStream for reading the message. #1027

Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
428de03
replaced stream with memoryStream for reading the message.
akshaybheda Feb 27, 2024
9e59d16
stream gets used afterwards
akshaybheda Feb 27, 2024
22703d6
dispose the memory stream after its use
akshaybheda Feb 27, 2024
306667a
memory stream changes
akshaybheda Feb 27, 2024
9204897
Revert "memory stream changes"
akshaybheda Feb 27, 2024
244affc
Revert "dispose the memory stream after its use"
akshaybheda Feb 27, 2024
885098b
Revert "stream gets used afterwards"
akshaybheda Feb 27, 2024
44fc9dc
Revert "replaced stream with memoryStream for reading the message."
akshaybheda Feb 27, 2024
59023fe
creating a buffered copy of message
akshaybheda Feb 27, 2024
5dca773
Revert "creating a buffered copy of message"
akshaybheda Feb 28, 2024
8636d06
create buffered copy of message
akshaybheda Feb 28, 2024
07ded90
changes to make it async
akshaybheda Feb 28, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 28 additions & 21 deletions src/SoapCore/MessageEncoder/SoapMessageEncoder.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,39 +130,46 @@
return await ReadMessageAsync(stream, maxSizeOfHeaders, contentType);
}

public Task<Message> ReadMessageAsync(Stream stream, int maxSizeOfHeaders, string contentType)
public async Task<Message> ReadMessageAsync(Stream stream, int maxSizeOfHeaders, string contentType)
{
if (stream == null)
{
throw new ArgumentNullException(nameof(stream));
}

XmlReader reader;
Message message;

var readEncoding = SoapMessageEncoderDefaults.ContentTypeToEncoding(contentType);

if (readEncoding == null)
using (var ms = new MemoryStream())
{
// Fallback to default or writeEncoding
readEncoding = _writeEncoding;
}
await stream.CopyToAsync(ms);
ms.Seek(0, SeekOrigin.Begin);
XmlReader reader;

var supportXmlDictionaryReader = SoapMessageEncoderDefaults.TryValidateEncoding(readEncoding, out _);
var readEncoding = SoapMessageEncoderDefaults.ContentTypeToEncoding(contentType);

if (supportXmlDictionaryReader)
{
reader = XmlDictionaryReader.CreateTextReader(stream, readEncoding, ReaderQuotas, dictionaryReader => { });
}
else
{
var streamReaderWithEncoding = new StreamReader(stream, readEncoding);
var xmlReaderSettings = new XmlReaderSettings() { IgnoreWhitespace = true, DtdProcessing = DtdProcessing.Prohibit, CloseInput = true };
reader = XmlReader.Create(streamReaderWithEncoding, xmlReaderSettings);
}
if (readEncoding == null)
{
// Fallback to default or writeEncoding
readEncoding = _writeEncoding;
}

var supportXmlDictionaryReader = SoapMessageEncoderDefaults.TryValidateEncoding(readEncoding, out _);

if (supportXmlDictionaryReader)
{
reader = XmlDictionaryReader.CreateTextReader(ms, readEncoding, ReaderQuotas, dictionaryReader => { });
}
else
{
var streamReaderWithEncoding = new StreamReader(ms, readEncoding);
var xmlReaderSettings = new XmlReaderSettings() { IgnoreWhitespace = true, DtdProcessing = DtdProcessing.Prohibit, CloseInput = true };
reader = XmlReader.Create(streamReaderWithEncoding, xmlReaderSettings);

Check failure

Code scanning / CodeQL

Untrusted XML is read insecurely Critical

This insecure XML processing depends on a
user-provided value
Loading
(DTD processing is enabled by default in versions before 4.0, default settings resolver is insecure in versions before 4.5).
This insecure XML processing depends on a
user-provided value
Loading
(DTD processing is enabled by default in versions before 4.0, default settings resolver is insecure in versions before 4.5).
}

Message message = Message.CreateMessage(reader, maxSizeOfHeaders, MessageVersion);
message = Message.CreateMessage(reader, maxSizeOfHeaders, MessageVersion).CreateBufferedCopy(int.MaxValue).CreateMessage();
}

return Task.FromResult(message);
return message;
}

public virtual async Task WriteMessageAsync(Message message, HttpContext httpContext, PipeWriter pipeWriter, bool indentXml)
Expand Down
Loading