From 9a1326559f6cdddda6bdaceccdff16e50b4b6c72 Mon Sep 17 00:00:00 2001
From: JRahnama <v-jarahn@microsoft.com>
Date: Tue, 5 Sep 2023 08:49:04 -0700
Subject: [PATCH 1/2] SDL | Changing ReadXml to a more secure overload.

---
 .../Microsoft/Data/ProviderBase/DbMetaDataFactory.cs   | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/Microsoft.Data.SqlClient/src/Microsoft/Data/ProviderBase/DbMetaDataFactory.cs b/src/Microsoft.Data.SqlClient/src/Microsoft/Data/ProviderBase/DbMetaDataFactory.cs
index 6e907d26e1..fe4b007d32 100644
--- a/src/Microsoft.Data.SqlClient/src/Microsoft/Data/ProviderBase/DbMetaDataFactory.cs
+++ b/src/Microsoft.Data.SqlClient/src/Microsoft/Data/ProviderBase/DbMetaDataFactory.cs
@@ -9,6 +9,7 @@
 using System.Diagnostics;
 using System.Globalization;
 using System.IO;
+using System.Xml;
 
 namespace Microsoft.Data.ProviderBase
 {
@@ -499,9 +500,14 @@ private void LoadDataSetFromXml(Stream XmlStream)
         {
             _metaDataCollectionsDataSet = new DataSet
             {
-                Locale = System.Globalization.CultureInfo.InvariantCulture
+                Locale = CultureInfo.InvariantCulture
+            };
+            XmlReaderSettings settings = new()
+            {
+                XmlResolver = null
             };
-            _metaDataCollectionsDataSet.ReadXml(XmlStream);
+            XmlReader reader = XmlReader.Create(XmlStream, settings);
+            _metaDataCollectionsDataSet.ReadXml(reader);
         }
 
         protected virtual DataTable PrepareCollection(string collectionName, string[] restrictions, DbConnection connection)

From a5e5b49a25da61c84fb660a9f5667559a7fc2f6c Mon Sep 17 00:00:00 2001
From: JRahnama <v-jarahn@microsoft.com>
Date: Tue, 5 Sep 2023 13:46:18 -0700
Subject: [PATCH 2/2] adjust xmlreader with using statement.

---
 .../src/Microsoft/Data/ProviderBase/DbMetaDataFactory.cs        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Microsoft.Data.SqlClient/src/Microsoft/Data/ProviderBase/DbMetaDataFactory.cs b/src/Microsoft.Data.SqlClient/src/Microsoft/Data/ProviderBase/DbMetaDataFactory.cs
index fe4b007d32..c3c34c702b 100644
--- a/src/Microsoft.Data.SqlClient/src/Microsoft/Data/ProviderBase/DbMetaDataFactory.cs
+++ b/src/Microsoft.Data.SqlClient/src/Microsoft/Data/ProviderBase/DbMetaDataFactory.cs
@@ -506,7 +506,7 @@ private void LoadDataSetFromXml(Stream XmlStream)
             {
                 XmlResolver = null
             };
-            XmlReader reader = XmlReader.Create(XmlStream, settings);
+            using XmlReader reader = XmlReader.Create(XmlStream, settings);
             _metaDataCollectionsDataSet.ReadXml(reader);
         }