xmldoc.Load(filepath)

I am working with a windows forms application written in VB .net. The code has been audited, and the audit message points to line  48 below. Message : "XML parser configured in frmUpdate.vb on line 48 does not prevent nor limit external entities resolution. This can expose the parser to an XML External Entities attack."
The suggested recommendation is :
"An  XML parser should be configured securely so that it does not allow external entities as part of an incoming XML document." The best way to prevent XXE attacks is to disable XML entity resolution by disabling inline DTD setting DtdProcessing to DtdProcessing.Prohibit or by disabling XML Entity resolution setting the XmlReaderSettings.XmlResolver property to null:

Can someone help me to resolve this? I have no idea how to fix this code so that I no longer get that audit message.



35 Private Function readBalterDatabaseFile(ByRef filepath As String) As DataTable
36 Try
37   Dim xmldoc As New XmlDocument
38   Dim tblBalterDatabase As New DataTable
39   Dim currentRow As DataRow
40   Dim rootNode As XmlNode
41  
42   tblBalterDatabase.Columns.Add("Client", Type.GetType("System.String"))
43   tblBalterDatabase.Columns.Add("Environment", Type.GetType("System.String"))
44   tblBalterDatabase.Columns.Add("BalterServer", Type.GetType("System.String"))
45   tblBalterDatabase.Columns.Add("BalterPort", Type.GetType("System.String"))
46   tblBalterDatabase.Columns.Add("Client", Type.GetType("System.String"))
47
48   xmldoc.Load(filepath)
49   xmldoc.Load(filepath)
50   rootNode = xmldoc.SelectSingleNode("//Clients")
51   For Each clientnode As XmlNode In rootNode.ChildNodes
52       For Each environmentnode As XmlNode In clientNode.ChildNodes
53       currentRow = tblBalterDatabase.NewRow
54         For Each childnode As XmlNode In environmentnode.ChildNodes
55              currentRow(childnode.Name) = childnode.InnerText
56         Next
57         currentRow("Client") = clientnode.Attributes("name").Value
58         currentRow("Environment") = clientnode.Attributes("name").Value
59         tblBalterDatabase.Rows.Add(currentRow)
60       Next
61   Next
62 tblBalterDatabase.AcceptChanges()
LVL 2
brgdotnetcontractorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

hieloCommented:
Try:
...
' https://msdn.microsoft.com/en-us/library/ms762632(v=VS.85).aspx
 xmldoc.setProperty "ProhibitDTD", True

' https://msdn.microsoft.com/en-us/library/system.xml.xmldocument.xmlresolver(v=vs.110).aspx?cs-save-lang=1&cs-lang=vb#code-snippet-1
' look at the VB example
Set xmldoc.XmlResolver = Nothing

 xmldoc.Load(filepath)
rootNode = xmldoc.SelectSingleNode("//Clients")
...

Open in new window

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Visual Basic.NET

From novice to tech pro — start learning today.