Improper Restriction of XML External Entity Reference

[ghost]

Static Analysis Security scan performed with Veracode found medium-severity possible security issue related to XML document validation.
File: EsuRestApi.cs
Line: 4063
Method: private void handleError( HttpWebResponse resp )

Description: The application calls the system_xml_dll.System.Xml.XmlDocument.LoadXml() function to parse an XML document. By default, the default XML entity resolver will attempt to resolve and retrieve external references. If attacker-controlled XML can be submitted to one of these functions, then the attacker could gain access to information about an internal network, local filesystem, or other sensitive data. This is known as an XML eXternal Entity (XXE) attack. The first argument to LoadXml() contains tainted data from the variable responseText. The tainted data originated from earlier calls to system_dll.System.Net.HttpWebResponse.GetResponseStream, system_dll.System.Net.HttpWebRequest.GetResponse, system_dll.System.Net.WebRequest.GetResponseAsync, and system_dll.System.Net.WebException.get_Response.

We need your assistance in resolving this issue.

[MarkHe1222]

Hi @svychegzhanin ,

Unfortunately, at current stage (Atmos end of life) not feasible for us to support. there isn't any resources from our side for this.

but this is open-source software, so you are free to fork the repo and fix any issues yourself, you can also contribute those fixes back via pull request.