Skip to content

Document explicitly that resource files are considered trusted #50972

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jeffhandley merged 2 commits into from
Jan 8, 2026
Merged

Document explicitly that resource files are considered trusted #50972

jeffhandley merged 2 commits into from
Jan 8, 2026

Conversation

@jeffhandley
Copy link
Member

@jeffhandley jeffhandley commented Jan 8, 2026
edited by github-actions bot
Loading

Augments Note that DeserializingResourceReader should not be used with untrusted data (dotnet/dotnet-api-docs#12198) with a central statement that resources are considered trusted.

Internal previews

📄 File 🔗 Preview link
docs/core/extensions/resources.md Resources in .NET apps

@jeffhandley jeffhandley self-assigned this Jan 8, 2026
@jeffhandley jeffhandley requested review from a team and gewarren as code owners January 8, 2026 01:06
Copilot AI review requested due to automatic review settings January 8, 2026 01:06
@dotnetrepoman dotnetrepoman bot added this to the January 2026 milestone Jan 8, 2026
Copilot AI reviewed Jan 8, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds a security-focused NOTE to the Resources in .NET apps documentation, clarifying that resource files (.resx and .resources) are considered trusted components of application deployment. This aligns with related work documenting security expectations for APIs that process resource files.

Key Changes:

  • Added a NOTE block explaining the trust model for resource files in .NET
  • Warns developers against processing untrusted resource files unless using explicitly safe APIs

gewarren
gewarren approved these changes Jan 8, 2026
View reviewed changes
@jeffhandley @gewarren
Apply language feedback
e8e34ab 
Co-authored-by: Genevieve Warren <[email protected]>
@jeffhandley jeffhandley merged commit 712e5a5 into dotnet:main Jan 8, 2026
9 checks passed
@jeffhandley jeffhandley deleted the jeffhandley/resources-trusted branch January 8, 2026 21:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@gewarren gewarren gewarren approved these changes

@GrabYourPitchforks GrabYourPitchforks Awaiting requested review from GrabYourPitchforks

Assignees

@jeffhandley jeffhandley

Labels

dotnet-fundamentals/svc

Projects

None yet

Milestone

January 2026

Development

Successfully merging this pull request may close these issues.

2 participants

@jeffhandley @gewarren