Revert "Potential XXE vulnerability fix on XML-parsing" (#1633)

dsyme · web-flow · commit 6c4b5033e331 · 2026-02-23T15:32:41.000Z
diff --git a/src/AssemblyInfo.Csv.Core.fs b/src/AssemblyInfo.Csv.Core.fs
@@ -1,5 +1,6 @@
 ﻿// Auto-Generated by FAKE; do not edit
 namespace System
+
 open System.Reflection
 
 [<assembly: AssemblyTitleAttribute("FSharp.Data.Csv.Core")>]
@@ -10,8 +11,17 @@ open System.Reflection
 do ()
 
 module internal AssemblyVersionInformation =
-    let [<Literal>] AssemblyTitle = "FSharp.Data.Csv.Core"
-    let [<Literal>] AssemblyProduct = "FSharp.Data"
-    let [<Literal>] AssemblyDescription = "Library of F# type providers and data access tools"
-    let [<Literal>] AssemblyVersion = "6.6.0.0"
-    let [<Literal>] AssemblyFileVersion = "6.6.0.0"
+    [<Literal>]
+    let AssemblyTitle = "FSharp.Data.Csv.Core"
+
+    [<Literal>]
+    let AssemblyProduct = "FSharp.Data"
+
+    [<Literal>]
+    let AssemblyDescription = "Library of F# type providers and data access tools"
+
+    [<Literal>]
+    let AssemblyVersion = "6.6.0.0"
+
+    [<Literal>]
+    let AssemblyFileVersion = "6.6.0.0"
diff --git a/src/AssemblyInfo.DesignTime.fs b/src/AssemblyInfo.DesignTime.fs
@@ -1,5 +1,6 @@
 ﻿// Auto-Generated by FAKE; do not edit
 namespace System
+
 open System.Reflection
 
 [<assembly: AssemblyTitleAttribute("FSharp.Data.DesignTime")>]
@@ -10,8 +11,17 @@ open System.Reflection
 do ()
 
 module internal AssemblyVersionInformation =
-    let [<Literal>] AssemblyTitle = "FSharp.Data.DesignTime"
-    let [<Literal>] AssemblyProduct = "FSharp.Data"
-    let [<Literal>] AssemblyDescription = "Library of F# type providers and data access tools"
-    let [<Literal>] AssemblyVersion = "6.6.0.0"
-    let [<Literal>] AssemblyFileVersion = "6.6.0.0"
+    [<Literal>]
+    let AssemblyTitle = "FSharp.Data.DesignTime"
+
+    [<Literal>]
+    let AssemblyProduct = "FSharp.Data"
+
+    [<Literal>]
+    let AssemblyDescription = "Library of F# type providers and data access tools"
+
+    [<Literal>]
+    let AssemblyVersion = "6.6.0.0"
+
+    [<Literal>]
+    let AssemblyFileVersion = "6.6.0.0"
diff --git a/src/AssemblyInfo.Html.Core.fs b/src/AssemblyInfo.Html.Core.fs
@@ -1,5 +1,6 @@
 ﻿// Auto-Generated by FAKE; do not edit
 namespace System
+
 open System.Reflection
 
 [<assembly: AssemblyTitleAttribute("FSharp.Data.Html.Core")>]
@@ -10,8 +11,17 @@ open System.Reflection
 do ()
 
 module internal AssemblyVersionInformation =
-    let [<Literal>] AssemblyTitle = "FSharp.Data.Html.Core"
-    let [<Literal>] AssemblyProduct = "FSharp.Data"
-    let [<Literal>] AssemblyDescription = "Library of F# type providers and data access tools"
-    let [<Literal>] AssemblyVersion = "6.6.0.0"
-    let [<Literal>] AssemblyFileVersion = "6.6.0.0"
+    [<Literal>]
+    let AssemblyTitle = "FSharp.Data.Html.Core"
+
+    [<Literal>]
+    let AssemblyProduct = "FSharp.Data"
+
+    [<Literal>]
+    let AssemblyDescription = "Library of F# type providers and data access tools"
+
+    [<Literal>]
+    let AssemblyVersion = "6.6.0.0"
+
+    [<Literal>]
+    let AssemblyFileVersion = "6.6.0.0"
diff --git a/src/AssemblyInfo.Http.fs b/src/AssemblyInfo.Http.fs
@@ -1,5 +1,6 @@
 ﻿// Auto-Generated by FAKE; do not edit
 namespace System
+
 open System.Reflection
 
 [<assembly: AssemblyTitleAttribute("FSharp.Data.Http")>]
@@ -10,8 +11,17 @@ open System.Reflection
 do ()
 
 module internal AssemblyVersionInformation =
-    let [<Literal>] AssemblyTitle = "FSharp.Data.Http"
-    let [<Literal>] AssemblyProduct = "FSharp.Data"
-    let [<Literal>] AssemblyDescription = "Library of F# type providers and data access tools"
-    let [<Literal>] AssemblyVersion = "6.6.0.0"
-    let [<Literal>] AssemblyFileVersion = "6.6.0.0"
+    [<Literal>]
+    let AssemblyTitle = "FSharp.Data.Http"
+
+    [<Literal>]
+    let AssemblyProduct = "FSharp.Data"
+
+    [<Literal>]
+    let AssemblyDescription = "Library of F# type providers and data access tools"
+
+    [<Literal>]
+    let AssemblyVersion = "6.6.0.0"
+
+    [<Literal>]
+    let AssemblyFileVersion = "6.6.0.0"
diff --git a/src/AssemblyInfo.Json.Core.fs b/src/AssemblyInfo.Json.Core.fs
@@ -1,5 +1,6 @@
 ﻿// Auto-Generated by FAKE; do not edit
 namespace System
+
 open System.Reflection
 
 [<assembly: AssemblyTitleAttribute("FSharp.Data.Json.Core")>]
@@ -10,8 +11,17 @@ open System.Reflection
 do ()
 
 module internal AssemblyVersionInformation =
-    let [<Literal>] AssemblyTitle = "FSharp.Data.Json.Core"
-    let [<Literal>] AssemblyProduct = "FSharp.Data"
-    let [<Literal>] AssemblyDescription = "Library of F# type providers and data access tools"
-    let [<Literal>] AssemblyVersion = "6.6.0.0"
-    let [<Literal>] AssemblyFileVersion = "6.6.0.0"
+    [<Literal>]
+    let AssemblyTitle = "FSharp.Data.Json.Core"
+
+    [<Literal>]
+    let AssemblyProduct = "FSharp.Data"
+
+    [<Literal>]
+    let AssemblyDescription = "Library of F# type providers and data access tools"
+
+    [<Literal>]
+    let AssemblyVersion = "6.6.0.0"
+
+    [<Literal>]
+    let AssemblyFileVersion = "6.6.0.0"
diff --git a/src/AssemblyInfo.Runtime.Utilities.fs b/src/AssemblyInfo.Runtime.Utilities.fs
@@ -1,5 +1,6 @@
 ﻿// Auto-Generated by FAKE; do not edit
 namespace System
+
 open System.Reflection
 
 [<assembly: AssemblyTitleAttribute("FSharp.Data.Runtime.Utilities")>]
@@ -10,8 +11,17 @@ open System.Reflection
 do ()
 
 module internal AssemblyVersionInformation =
-    let [<Literal>] AssemblyTitle = "FSharp.Data.Runtime.Utilities"
-    let [<Literal>] AssemblyProduct = "FSharp.Data"
-    let [<Literal>] AssemblyDescription = "Library of F# type providers and data access tools"
-    let [<Literal>] AssemblyVersion = "6.6.0.0"
-    let [<Literal>] AssemblyFileVersion = "6.6.0.0"
+    [<Literal>]
+    let AssemblyTitle = "FSharp.Data.Runtime.Utilities"
+
+    [<Literal>]
+    let AssemblyProduct = "FSharp.Data"
+
+    [<Literal>]
+    let AssemblyDescription = "Library of F# type providers and data access tools"
+
+    [<Literal>]
+    let AssemblyVersion = "6.6.0.0"
+
+    [<Literal>]
+    let AssemblyFileVersion = "6.6.0.0"
diff --git a/src/AssemblyInfo.WorldBank.Core.fs b/src/AssemblyInfo.WorldBank.Core.fs
@@ -1,5 +1,6 @@
 ﻿// Auto-Generated by FAKE; do not edit
 namespace System
+
 open System.Reflection
 
 [<assembly: AssemblyTitleAttribute("FSharp.Data.WorldBank.Core")>]
@@ -10,8 +11,17 @@ open System.Reflection
 do ()
 
 module internal AssemblyVersionInformation =
-    let [<Literal>] AssemblyTitle = "FSharp.Data.WorldBank.Core"
-    let [<Literal>] AssemblyProduct = "FSharp.Data"
-    let [<Literal>] AssemblyDescription = "Library of F# type providers and data access tools"
-    let [<Literal>] AssemblyVersion = "6.6.0.0"
-    let [<Literal>] AssemblyFileVersion = "6.6.0.0"
+    [<Literal>]
+    let AssemblyTitle = "FSharp.Data.WorldBank.Core"
+
+    [<Literal>]
+    let AssemblyProduct = "FSharp.Data"
+
+    [<Literal>]
+    let AssemblyDescription = "Library of F# type providers and data access tools"
+
+    [<Literal>]
+    let AssemblyVersion = "6.6.0.0"
+
+    [<Literal>]
+    let AssemblyFileVersion = "6.6.0.0"
diff --git a/src/AssemblyInfo.Xml.Core.fs b/src/AssemblyInfo.Xml.Core.fs
@@ -1,5 +1,6 @@
 ﻿// Auto-Generated by FAKE; do not edit
 namespace System
+
 open System.Reflection
 
 [<assembly: AssemblyTitleAttribute("FSharp.Data.Xml.Core")>]
@@ -10,8 +11,17 @@ open System.Reflection
 do ()
 
 module internal AssemblyVersionInformation =
-    let [<Literal>] AssemblyTitle = "FSharp.Data.Xml.Core"
-    let [<Literal>] AssemblyProduct = "FSharp.Data"
-    let [<Literal>] AssemblyDescription = "Library of F# type providers and data access tools"
-    let [<Literal>] AssemblyVersion = "6.6.0.0"
-    let [<Literal>] AssemblyFileVersion = "6.6.0.0"
+    [<Literal>]
+    let AssemblyTitle = "FSharp.Data.Xml.Core"
+
+    [<Literal>]
+    let AssemblyProduct = "FSharp.Data"
+
+    [<Literal>]
+    let AssemblyDescription = "Library of F# type providers and data access tools"
+
+    [<Literal>]
+    let AssemblyVersion = "6.6.0.0"
+
+    [<Literal>]
+    let AssemblyFileVersion = "6.6.0.0"
diff --git a/src/AssemblyInfo.fs b/src/AssemblyInfo.fs
@@ -1,5 +1,6 @@
 ﻿// Auto-Generated by FAKE; do not edit
 namespace System
+
 open System.Reflection
 
 [<assembly: AssemblyTitleAttribute("FSharp.Data")>]
@@ -10,8 +11,17 @@ open System.Reflection
 do ()
 
 module internal AssemblyVersionInformation =
-    let [<Literal>] AssemblyTitle = "FSharp.Data"
-    let [<Literal>] AssemblyProduct = "FSharp.Data"
-    let [<Literal>] AssemblyDescription = "Library of F# type providers and data access tools"
-    let [<Literal>] AssemblyVersion = "6.6.0.0"
-    let [<Literal>] AssemblyFileVersion = "6.6.0.0"
+    [<Literal>]
+    let AssemblyTitle = "FSharp.Data"
+
+    [<Literal>]
+    let AssemblyProduct = "FSharp.Data"
+
+    [<Literal>]
+    let AssemblyDescription = "Library of F# type providers and data access tools"
+
+    [<Literal>]
+    let AssemblyVersion = "6.6.0.0"
+
+    [<Literal>]
+    let AssemblyFileVersion = "6.6.0.0"
diff --git a/src/FSharp.Data.Xml.Core/XmlRuntime.fs b/src/FSharp.Data.Xml.Core/XmlRuntime.fs
@@ -6,7 +6,6 @@ namespace FSharp.Data.Runtime.BaseTypes
 
 open System.ComponentModel
 open System.IO
-open System.Xml
 open System.Xml.Linq
 
 #nowarn "10001"
@@ -57,16 +56,7 @@ type XmlElement =
                                IsError = false)>]
     static member Create(reader: TextReader) =
         use reader = reader
-        // Secure XML parsing: disable DTD processing and external entities to prevent XXE attacks
-        let xmlReaderSettings =
-            new XmlReaderSettings(
-                DtdProcessing = DtdProcessing.Prohibit,
-                XmlResolver = null,
-                MaxCharactersFromEntities = 1024L * 1024L
-            ) // 1MB limit
-
-        use xmlReader = XmlReader.Create(reader, xmlReaderSettings)
-        let element = XDocument.Load(xmlReader, LoadOptions.PreserveWhitespace).Root
+        let element = XDocument.Load(reader, LoadOptions.PreserveWhitespace).Root
         { XElement = element }
 
     /// <exclude />
@@ -79,26 +69,12 @@ type XmlElement =
         use reader = reader
         let text = reader.ReadToEnd()
 
-        // Secure XML parsing: disable DTD processing and external entities to prevent XXE attacks
-        let xmlReaderSettings =
-            new XmlReaderSettings(
-                DtdProcessing = DtdProcessing.Prohibit,
-                XmlResolver = null,
-                MaxCharactersFromEntities = 1024L * 1024L
-            ) // 1MB limit
-
         try
-            use stringReader = new StringReader(text)
-            use xmlReader = XmlReader.Create(stringReader, xmlReaderSettings)
-
-            XDocument.Load(xmlReader, LoadOptions.PreserveWhitespace).Root.Elements()
+            XDocument.Parse(text, LoadOptions.PreserveWhitespace).Root.Elements()
             |> Seq.map (fun value -> { XElement = value })
             |> Seq.toArray
         with _ when text.TrimStart().StartsWith "<" ->
-            use stringReader = new StringReader("<root>" + text + "</root>")
-            use xmlReader = XmlReader.Create(stringReader, xmlReaderSettings)
-
-            XDocument.Load(xmlReader, LoadOptions.PreserveWhitespace).Root.Elements()
+            XDocument.Parse("<root>" + text + "</root>", LoadOptions.PreserveWhitespace).Root.Elements()
             |> Seq.map (fun value -> { XElement = value })
             |> Seq.toArray
 
