Harden metadata handler invoker against bad metadata (#47433)

tmat · web-flow · commit c7a08c9e0912 · 2025-03-20T08:58:54.000-07:00
diff --git a/src/BuiltInTools/HotReloadAgent/MetadataUpdateHandlerInvoker.cs b/src/BuiltInTools/HotReloadAgent/MetadataUpdateHandlerInvoker.cs
@@ -318,7 +318,7 @@ internal static List<Assembly> TopologicalSort(Assembly[] assemblies)
     {
         var sortedAssemblies = new List<Assembly>(assemblies.Length);
 
-        var visited = new HashSet<string>(StringComparer.Ordinal);
+        var visited = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
 
         foreach (var assembly in assemblies)
         {
@@ -327,15 +327,46 @@ internal static List<Assembly> TopologicalSort(Assembly[] assemblies)
 
         static void Visit(Assembly[] assemblies, Assembly assembly, List<Assembly> sortedAssemblies, HashSet<string> visited)
         {
-            var assemblyIdentifier = assembly.GetName().Name!;
-            if (!visited.Add(assemblyIdentifier))
+            string assemblyIdentifier;
+
+            try
+            {
+                assemblyIdentifier = assembly.GetName().Name;
+            }
+            catch
+            {
+                return;
+            }
+
+            if (assemblyIdentifier == null || !visited.Add(assemblyIdentifier))
             {
                 return;
             }
 
-            foreach (var dependencyName in assembly.GetReferencedAssemblies())
+            AssemblyName[] referencedAssemblies;
+            try
             {
-                var dependency = Array.Find(assemblies, a => a.GetName().Name == dependencyName.Name);
+                referencedAssemblies = assembly.GetReferencedAssemblies();
+            }
+            catch
+            {
+                referencedAssemblies = [];
+            }
+
+            foreach (var dependencyName in referencedAssemblies)
+            {
+                var dependency = Array.Find(assemblies, a =>
+                {
+                    try
+                    {
+                        return string.Equals(a.GetName().Name, dependencyName.Name, StringComparison.OrdinalIgnoreCase);
+                    }
+                    catch
+                    {
+                        return false;
+                    }
+                });
+
                 if (dependency is not null)
                 {
                     Visit(assemblies, dependency, sortedAssemblies, visited);
