Risks of allowing users to upload PDF and XML files to be stored/retrieved from a DB (ASPNET MVC 5)
I'm modifying an ASPNET MVC 5 web site and a requirement is to allow users to upload an XML and PDF file.
The XML file will be used to layout text on the PDF based on variables coming from within the system.
I have a schema for the XML that can be uploaded - so I can validate against a malformed XML - and that the XML matches the schema.
Where I'm unsure is in worries about DOS and malicious code in the XML. Is checking against the schema enough or can malicious code pass the schema check?
Also, the PDF is just stamped with text content using iText - would I need to worry about something nefarious in the PDF?
Both files are stored as byte[] in a database and never on a file system directly.
Part of the site prepares the PDF with the XML content and displays to the user and another part prepares the PDF to attach to an email. (Just trying to give some context in its use)
There seems to be so many places this could open security vulnerabilities and the client is using a 3rd party IT security vendor for this as well. I have to allow the functionality as I can't get around it.
