From 6c0c7ce5df0bb8743b85c9d7f3820587ebc647b6 Mon Sep 17 00:00:00 2001
From: "Taisen.fr (Dev)" <vaca@hotmail.fr>
Date: Mon, 20 May 2024 16:18:50 +0200
Subject: [PATCH] Authent XML ++

---
 Controller/Controller.cs | 4 ++--
 Program.cs               | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/Controller/Controller.cs b/Controller/Controller.cs
index adcbc35..67d0200 100644
--- a/Controller/Controller.cs
+++ b/Controller/Controller.cs
@@ -82,11 +82,12 @@ On enregistre les objets "employé" valides dans un fichier en lecture seule
             return Results.Ok($"File is : {File.GetAttributes(ROFile).ToString()}    New id : {NewId}    Empty Var: {HaveToBeEmpty.IsNullOrEmpty()}");
         }
 
-        public static string VulnerableXmlParser(string Xml)
+        public static string VulnerableXmlParser(string Xml, string Token, string Secret)
         {
             /*
             Parse les données XML passées en paramètre et retourne son contenu
             */
+            if (!VulnerableValidateToken(Token, Secret)) return Results.Unauthorized().ToString();
             try
             {
                 var Xsl = XDocument.Parse(Xml);
@@ -103,7 +104,6 @@ Parse les données XML passées en paramètre et retourne son contenu
             }
             catch (Exception ex)
             {
-                Xml = Xml.Replace("Framework", "").Replace("Token", "").Replace("Cmd", "").Replace("powershell", "").Replace("http", "");
                 XmlReaderSettings ReaderSettings = new XmlReaderSettings();
                 ReaderSettings.DtdProcessing = DtdProcessing.Parse;
                 ReaderSettings.XmlResolver = new XmlUrlResolver();
diff --git a/Program.cs b/Program.cs
index 1caa0f7..57c2879 100644
--- a/Program.cs
+++ b/Program.cs
@@ -48,7 +48,7 @@
 
 app.MapGet("/", async (string? lang) => await Task.FromResult(VLAController.VulnerableHelloWorld(HttpUtility.UrlDecode(lang)))).WithOpenApi();
 
-app.MapGet("/Xml", async (string i) => await Task.FromResult(VLAController.VulnerableXmlParser(HttpUtility.UrlDecode(i)))).WithOpenApi();
+app.MapGet("/Xml", async (string i, string t) => await Task.FromResult(VLAController.VulnerableXmlParser(HttpUtility.UrlDecode(i), t, Secret))).WithOpenApi();
 
 app.MapGet("/Json", async (string i, string t) => await Task.FromResult(VLAController.VulnerableDeserialize(HttpUtility.UrlDecode(i), t, Secret))).WithOpenApi();