From 8c8eeeeb2f50f279ac57085e2e28ae3225515f69 Mon Sep 17 00:00:00 2001 From: Buyaa Namnan Date: Wed, 9 Oct 2024 17:26:06 -0700 Subject: [PATCH 1/4] Doc: AssemblyBuilder require fully trusted environment with trusted input --- xml/System.Reflection.Emit/AssemblyBuilder.xml | 9 ++++++++- xml/System.Reflection.Emit/ILGenerator.xml | 9 +++++++++ xml/System.Reflection.Emit/PersistedAssemblyBuilder.xml | 9 ++++++++- 3 files changed, 25 insertions(+), 2 deletions(-) diff --git a/xml/System.Reflection.Emit/AssemblyBuilder.xml b/xml/System.Reflection.Emit/AssemblyBuilder.xml index c2c048fcb2c..d7e12c42f25 100644 --- a/xml/System.Reflection.Emit/AssemblyBuilder.xml +++ b/xml/System.Reflection.Emit/AssemblyBuilder.xml @@ -76,7 +76,14 @@ Defines and represents a dynamic assembly. - For more information about this API, see Supplemental API remarks for AssemblyBuilder. + For more information about this API, see Supplemental API remarks for AssemblyBuilder. + + [!WARNING] +> `AssemblyBuilder` APIs require a fully trusted environment with trusted input, similarly as other technologies such as compilers. There are no restrictions other than basic validation for generated IL, for member name, count and associated metadata such as custom attributes, that the AssemblyBuilder can contain. For example untrusted input that directly affects the produced IL written to an assembly that later loaded and executed, such input can do whatever it wishes. +]]> + + [!WARNING] +> There are no restrictions, other than basic validation for ILGenerator APIs that used for producing method IL. If untrusted input is used for producing IL: + +> - IL and metadata can contain secrets provided by the consumer. +> - IL can be invalid such as not having a balanced push vs. pop opcodes, or invalid operands for a given opcode. +> - Can contain any code that may, for example, deadlock, have infinite stack recursion, or have an infinite loop. +> - IL can load and execute code on any other reachable assembly. + +> Such code can do whatever it wishes when the method is loaded and executed. To restrict such vulnerabilities `ILGenerator` require a fully trusted environment with trusted input. ]]> diff --git a/xml/System.Reflection.Emit/PersistedAssemblyBuilder.xml b/xml/System.Reflection.Emit/PersistedAssemblyBuilder.xml index 34a88531211..bb59614407e 100644 --- a/xml/System.Reflection.Emit/PersistedAssemblyBuilder.xml +++ b/xml/System.Reflection.Emit/PersistedAssemblyBuilder.xml @@ -25,7 +25,14 @@ Provides an AssemblyBuilder implementation that can persist assembly to a disk or stream. - To be added. + For more information about this API, see Persisted dynamic assemblies in .NET. + + [!WARNING] +> `PersistedAssemblyBuilder` APIs require a fully trusted environment with trusted input, similarly as other technologies such as compilers. There are no restrictions other than basic validation for generated IL, for member name, count and associated metadata such as custom attributes, that the AssemblyBuilder can contain. For example untrusted input that directly affects the produced IL written to an assembly that later loaded and executed, such input can do whatever it wishes. +]]> + + From 2f07f00e58dc0e7147672a06cc4dd72e466baf7a Mon Sep 17 00:00:00 2001 From: Buyaa Namnan Date: Wed, 9 Oct 2024 18:14:28 -0700 Subject: [PATCH 2/4] Fix warnings --- xml/System.Reflection.Emit/AssemblyBuilder.xml | 10 +++++++--- xml/System.Reflection.Emit/ILGenerator.xml | 2 -- .../PersistedAssemblyBuilder.xml | 13 ++++++++----- 3 files changed, 15 insertions(+), 10 deletions(-) diff --git a/xml/System.Reflection.Emit/AssemblyBuilder.xml b/xml/System.Reflection.Emit/AssemblyBuilder.xml index d7e12c42f25..ec3e6c231e9 100644 --- a/xml/System.Reflection.Emit/AssemblyBuilder.xml +++ b/xml/System.Reflection.Emit/AssemblyBuilder.xml @@ -76,9 +76,13 @@ Defines and represents a dynamic assembly. - For more information about this API, see Supplemental API remarks for AssemblyBuilder. - - + [!WARNING] > `AssemblyBuilder` APIs require a fully trusted environment with trusted input, similarly as other technologies such as compilers. There are no restrictions other than basic validation for generated IL, for member name, count and associated metadata such as custom attributes, that the AssemblyBuilder can contain. For example untrusted input that directly affects the produced IL written to an assembly that later loaded and executed, such input can do whatever it wishes. ]]> diff --git a/xml/System.Reflection.Emit/ILGenerator.xml b/xml/System.Reflection.Emit/ILGenerator.xml index ecbeee5933b..221093a68bf 100644 --- a/xml/System.Reflection.Emit/ILGenerator.xml +++ b/xml/System.Reflection.Emit/ILGenerator.xml @@ -86,12 +86,10 @@ > [!WARNING] > There are no restrictions, other than basic validation for ILGenerator APIs that used for producing method IL. If untrusted input is used for producing IL: - > - IL and metadata can contain secrets provided by the consumer. > - IL can be invalid such as not having a balanced push vs. pop opcodes, or invalid operands for a given opcode. > - Can contain any code that may, for example, deadlock, have infinite stack recursion, or have an infinite loop. > - IL can load and execute code on any other reachable assembly. - > Such code can do whatever it wishes when the method is loaded and executed. To restrict such vulnerabilities `ILGenerator` require a fully trusted environment with trusted input. ]]> diff --git a/xml/System.Reflection.Emit/PersistedAssemblyBuilder.xml b/xml/System.Reflection.Emit/PersistedAssemblyBuilder.xml index bb59614407e..aa2c153f1c9 100644 --- a/xml/System.Reflection.Emit/PersistedAssemblyBuilder.xml +++ b/xml/System.Reflection.Emit/PersistedAssemblyBuilder.xml @@ -25,13 +25,16 @@ Provides an AssemblyBuilder implementation that can persist assembly to a disk or stream. - For more information about this API, see Persisted dynamic assemblies in .NET. - - + [!WARNING] > `PersistedAssemblyBuilder` APIs require a fully trusted environment with trusted input, similarly as other technologies such as compilers. There are no restrictions other than basic validation for generated IL, for member name, count and associated metadata such as custom attributes, that the AssemblyBuilder can contain. For example untrusted input that directly affects the produced IL written to an assembly that later loaded and executed, such input can do whatever it wishes. -]]> - +]]> From c6f266d5fef57d5a1890b028aecd42161f6b942e Mon Sep 17 00:00:00 2001 From: Buyaa Namnan Date: Wed, 9 Oct 2024 21:21:45 -0700 Subject: [PATCH 3/4] Small updates to make it look better --- xml/System.Reflection.Emit/AssemblyBuilder.xml | 2 +- xml/System.Reflection.Emit/ILGenerator.xml | 1 + xml/System.Reflection.Emit/PersistedAssemblyBuilder.xml | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/xml/System.Reflection.Emit/AssemblyBuilder.xml b/xml/System.Reflection.Emit/AssemblyBuilder.xml index ec3e6c231e9..48c0f3f7fa3 100644 --- a/xml/System.Reflection.Emit/AssemblyBuilder.xml +++ b/xml/System.Reflection.Emit/AssemblyBuilder.xml @@ -84,7 +84,7 @@ For more information about this API, see [Supplemental API remarks for AssemblyBuilder](/dotnet/fundamentals/runtime-libraries/system-reflection-emit-assemblybuilder). > [!WARNING] -> `AssemblyBuilder` APIs require a fully trusted environment with trusted input, similarly as other technologies such as compilers. There are no restrictions other than basic validation for generated IL, for member name, count and associated metadata such as custom attributes, that the AssemblyBuilder can contain. For example untrusted input that directly affects the produced IL written to an assembly that later loaded and executed, such input can do whatever it wishes. +> `AssemblyBuilder` APIs require a fully trusted environment with trusted input, similarly as other technologies such as compilers. There are no restrictions other than basic validation for generated IL, for member name, count and associated metadata such as custom attributes, that the AssemblyBuilder can contain. ]]> diff --git a/xml/System.Reflection.Emit/ILGenerator.xml b/xml/System.Reflection.Emit/ILGenerator.xml index 221093a68bf..6dcc3d105a5 100644 --- a/xml/System.Reflection.Emit/ILGenerator.xml +++ b/xml/System.Reflection.Emit/ILGenerator.xml @@ -90,6 +90,7 @@ > - IL can be invalid such as not having a balanced push vs. pop opcodes, or invalid operands for a given opcode. > - Can contain any code that may, for example, deadlock, have infinite stack recursion, or have an infinite loop. > - IL can load and execute code on any other reachable assembly. +> > Such code can do whatever it wishes when the method is loaded and executed. To restrict such vulnerabilities `ILGenerator` require a fully trusted environment with trusted input. ]]> diff --git a/xml/System.Reflection.Emit/PersistedAssemblyBuilder.xml b/xml/System.Reflection.Emit/PersistedAssemblyBuilder.xml index aa2c153f1c9..87b6335476d 100644 --- a/xml/System.Reflection.Emit/PersistedAssemblyBuilder.xml +++ b/xml/System.Reflection.Emit/PersistedAssemblyBuilder.xml @@ -33,7 +33,7 @@ For more information about this API, see [Persisted dynamic assemblies in .NET](/dotnet/fundamentals/runtime-libraries/system-reflection-emit-persistedassemblybuilder). > [!WARNING] -> `PersistedAssemblyBuilder` APIs require a fully trusted environment with trusted input, similarly as other technologies such as compilers. There are no restrictions other than basic validation for generated IL, for member name, count and associated metadata such as custom attributes, that the AssemblyBuilder can contain. For example untrusted input that directly affects the produced IL written to an assembly that later loaded and executed, such input can do whatever it wishes. +> `PersistedAssemblyBuilder` APIs require a fully trusted environment with trusted input, similarly as other technologies such as compilers. There are no restrictions other than basic validation for generated IL, for member name, count and associated metadata such as custom attributes, that the AssemblyBuilder can contain. ]]> From 8d78e98a0add2dd351909251c67b08c512e01ec4 Mon Sep 17 00:00:00 2001 From: Buyaa Namnan Date: Thu, 10 Oct 2024 10:19:33 -0700 Subject: [PATCH 4/4] Apply suggestions from code review Co-authored-by: Genevieve Warren <24882762+gewarren@users.noreply.github.com> --- xml/System.Reflection.Emit/AssemblyBuilder.xml | 2 +- xml/System.Reflection.Emit/ILGenerator.xml | 9 +++++---- xml/System.Reflection.Emit/PersistedAssemblyBuilder.xml | 2 +- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/xml/System.Reflection.Emit/AssemblyBuilder.xml b/xml/System.Reflection.Emit/AssemblyBuilder.xml index 48c0f3f7fa3..ee6e05f93d9 100644 --- a/xml/System.Reflection.Emit/AssemblyBuilder.xml +++ b/xml/System.Reflection.Emit/AssemblyBuilder.xml @@ -84,7 +84,7 @@ For more information about this API, see [Supplemental API remarks for AssemblyBuilder](/dotnet/fundamentals/runtime-libraries/system-reflection-emit-assemblybuilder). > [!WARNING] -> `AssemblyBuilder` APIs require a fully trusted environment with trusted input, similarly as other technologies such as compilers. There are no restrictions other than basic validation for generated IL, for member name, count and associated metadata such as custom attributes, that the AssemblyBuilder can contain. +> `AssemblyBuilder` APIs require a fully trusted environment with trusted input, similar to other technologies such as compilers. There are no restrictions other than basic validation for generated IL that the `AssemblyBuilder` can contain. That includes validation for member name, count, and associated metadata, such as custom attributes. ]]> diff --git a/xml/System.Reflection.Emit/ILGenerator.xml b/xml/System.Reflection.Emit/ILGenerator.xml index 6dcc3d105a5..5a55b1aab0b 100644 --- a/xml/System.Reflection.Emit/ILGenerator.xml +++ b/xml/System.Reflection.Emit/ILGenerator.xml @@ -85,13 +85,14 @@ MSIL is used as input to a just-in-time (JIT) compiler. > [!WARNING] -> There are no restrictions, other than basic validation for ILGenerator APIs that used for producing method IL. If untrusted input is used for producing IL: +> There are no restrictions, other than basic validation, for ILGenerator APIs that produce method IL. If untrusted input is used for producing IL: +> > - IL and metadata can contain secrets provided by the consumer. -> - IL can be invalid such as not having a balanced push vs. pop opcodes, or invalid operands for a given opcode. -> - Can contain any code that may, for example, deadlock, have infinite stack recursion, or have an infinite loop. +> - IL can be invalid, such as not having balanced push versus pop opcodes, or invalid operands for a given opcode. +> - IL can contain any code that might, for example, deadlock, have infinite stack recursion, or have an infinite loop. > - IL can load and execute code on any other reachable assembly. > -> Such code can do whatever it wishes when the method is loaded and executed. To restrict such vulnerabilities `ILGenerator` require a fully trusted environment with trusted input. +> Such code can do whatever it wishes when the method is loaded and executed. To protect against such vulnerabilities, `ILGenerator` requires a fully trusted environment with trusted input. ]]> diff --git a/xml/System.Reflection.Emit/PersistedAssemblyBuilder.xml b/xml/System.Reflection.Emit/PersistedAssemblyBuilder.xml index 87b6335476d..5ac7b40f00e 100644 --- a/xml/System.Reflection.Emit/PersistedAssemblyBuilder.xml +++ b/xml/System.Reflection.Emit/PersistedAssemblyBuilder.xml @@ -33,7 +33,7 @@ For more information about this API, see [Persisted dynamic assemblies in .NET](/dotnet/fundamentals/runtime-libraries/system-reflection-emit-persistedassemblybuilder). > [!WARNING] -> `PersistedAssemblyBuilder` APIs require a fully trusted environment with trusted input, similarly as other technologies such as compilers. There are no restrictions other than basic validation for generated IL, for member name, count and associated metadata such as custom attributes, that the AssemblyBuilder can contain. +> `PersistedAssemblyBuilder` APIs require a fully trusted environment with trusted input, similar to other technologies such as compilers. There are no restrictions other than basic validation for generated IL that the `AssemblyBuilder` can contain. That includes validation for member name, count, and associated metadata, such as custom attributes. ]]>