Merged PR 6983: MSRC 54120: XAMLReader.Load used by GetFixedDocumentSequence method which could lead to code execution [.Net Core 3.1] - Missing variant fix

[Bug 1092072](https://devdiv.visualstudio.com/DefaultCollection/DevDiv/_workitems/edit/1092072): MSRC 54120: XAMLReader.Load used by `GetFixedDocumentSequence` method which could lead to code execution [.Net Core 3.1] - Missing variant fix

## **Description**
Loose xaml can contain executable payload e.g. `ObjectDataProvider`. This XAML can be included as part of `XpsDocument`s in their `FixedDocumentSequence` or `FixedPage`.

In WPF, we were allowing `XpsDocument`s to be loaded freely via `XamlReader.Load`.

This exposes an attack vector - when a user downloads an XPS file from the internet for viewing, they could end up executing untrusted code.

The fix is to identify known dangerous `Type`s and limit them from being deserialized during XAML loading. In order to accomplish this, we previously added new non-public overloads to the `XamlReader.Load` method to enable the use of `RestrictiveXamlXmlReader`.`RestrictiveXamlXmlReader` restricts known dangerous `Type`s from being loaded while deserializing xaml.

One of these dangerous `Type`s is `System.Windows.ResourceDictionary`, which is a valid `Type` in XML schema. To allow this valid `Type` we added another non-public overload to the `XamlReader.Load` method which takes an additional parameter, safeTypes, a list of `Type`s which can be loaded safely. We also added a new constructor to the `RestrictiveXamlXmlReader` which takes an additional parameter of safeTypes which are marked as safe to load for this instance of the `RestrictiveXamlXmlReader`.

### **Customer Impact**
Customers would be protected from opening potentially-compromised XPS documents.

### **Regression**
No. This security issue was reported by an external party.

### **Risk - Low**
- This change only affects loading XPS documents.
- The change has been tested well internally.
  - We ran regression tests to ensure nothing else is inadvertently broken.
  - Validated against POC to ensure that the fix works as intended.

Author: arpitmathur

src/Microsoft.DotNet.Wpf/src/PresentationFramework/System/Windows/Documents/XpsS0ValidatingLoader.cs

@@ -59,13 +59,17 @@ internal void Validate(Stream stream, Uri parentUri, ParserContext pc, ContentTy
         /// <returns></returns>
         private object Load(Stream stream, Uri parentUri, ParserContext pc, ContentType mimeType, string rootElement)
         {
-            object obj = null;
+            object obj = null;
+
+            List<Type> safeTypes = new List<Type> { typeof(System.Windows.ResourceDictionary) };
 
             if (!DocumentMode)
             {                       // Loose XAML, just check against schema, don't check content type
                 if (rootElement==null)
-                {
-                    obj = XamlReader.Load(stream, pc);
+                {
+                    XmlReader reader = XmlReader.Create(stream, null, pc);
+                    obj = XamlReader.Load(reader, pc, XamlParseMode.Synchronous, true, safeTypes);
+                    stream.Close();
                 }
             }
             else
@@ -148,10 +152,10 @@ private object Load(Stream stream, Uri parentUri, ParserContext pc, ContentType
                         ;
                 }
                 else
-                {
-                    obj = XamlReader.Load(xpsSchemaValidator.XmlReader,
-                                    pc,
-                                    XamlParseMode.Synchronous);
+                {
+                    obj = XamlReader.Load(xpsSchemaValidator.XmlReader,
+                               pc,
+                               XamlParseMode.Synchronous, true, safeTypes);
                 }
                 _validResources.Pop();
             }

src/Microsoft.DotNet.Wpf/src/PresentationFramework/System/Windows/Markup/RestrictiveXamlXmlReader.cs

@@ -61,6 +61,20 @@ static RestrictiveXamlXmlReader()
         /// </summary>
         public RestrictiveXamlXmlReader(XmlReader xmlReader, XamlSchemaContext schemaContext, XamlXmlReaderSettings settings) : base(xmlReader, schemaContext, settings)
         {
+        }
+
+        /// <summary>
+        /// Builds the restricted set based on RestrictedTypes that have already been loaded but adds the list of Types passed in in safeTypes to the instance of _safeTypesSet
+        /// </summary>
+        internal RestrictiveXamlXmlReader(XmlReader xmlReader, XamlSchemaContext schemaContext, XamlXmlReaderSettings settings, List<Type> safeTypes) : base(xmlReader, schemaContext, settings)
+        {
+            if (safeTypes != null)
+            {
+                foreach (Type safeType in safeTypes)
+                {
+                    _safeTypesSet.Add(safeType);
+                }
+            }
         }
 
         /// <summary>

src/Microsoft.DotNet.Wpf/src/PresentationFramework/System/Windows/Markup/XamlReader.cs

@@ -13,7 +13,8 @@
 using System.IO.Packaging;
 using System.Windows;
 using System.ComponentModel;
-using System.Collections;
+using System.Collections;
+using System.Collections.Generic;
 using System.Diagnostics;
 using System.Reflection;
 
@@ -744,10 +745,33 @@ internal static object Load(
         /// RestrictiveXamlXmlReader to restrict instantiation of potentially dangerous types</param>
         /// <returns>object root generated after xml parsed</returns>
         internal static object Load(
-        XmlReader reader,
-        ParserContext parserContext,
-        XamlParseMode parseMode,
-        bool useRestrictiveXamlReader)
+           XmlReader reader,
+           ParserContext parserContext,
+           XamlParseMode parseMode,
+           bool useRestrictiveXamlReader)
+        {
+            return Load(reader, parserContext, parseMode, useRestrictiveXamlReader, null);
+        }
+
+        /// <summary>
+        /// Reads XAML from the passed stream, building an object tree and returning the
+        /// root of that tree.  Wrap a CompatibilityReader with another XmlReader that
+        /// uses the passed reader settings to allow validation of xaml.
+        /// </summary>
+        /// <param name="reader">XmlReader to use.  This is NOT wrapped by any
+        ///  other reader</param>
+        /// <param name="context">Optional parser context.  May be null </param>
+        /// <param name="parseMode">Sets synchronous or asynchronous parsing</param>
+        /// <param name="useRestrictiveXamlReader">Whether or not this method should use 
+        /// RestrictiveXamlXmlReader to restrict instantiation of potentially dangerous types</param>
+        /// <param name="safeTypes">List of known safe Types to be allowed through the RestrictiveXamlXmlReader</param>
+        /// <returns>object root generated after xml parsed</returns>
+        internal static object Load(
+            XmlReader reader,
+            ParserContext parserContext,
+            XamlParseMode parseMode,
+            bool useRestrictiveXamlReader,
+            List<Type> safeTypes)
         {
             if (parseMode == XamlParseMode.Uninitialized ||
                 parseMode == XamlParseMode.Asynchronous)
@@ -805,7 +829,7 @@ internal static object Load(
 
                 XamlSchemaContext schemaContext = parserContext.XamlTypeMapper != null ?
                     parserContext.XamlTypeMapper.SchemaContext : GetWpfSchemaContext();
-                System.Xaml.XamlXmlReader xamlXmlReader = (useRestrictiveXamlReader) ? new RestrictiveXamlXmlReader(reader, schemaContext, settings):
+                System.Xaml.XamlXmlReader xamlXmlReader = (useRestrictiveXamlReader) ? new RestrictiveXamlXmlReader(reader, schemaContext, settings, safeTypes) :
                                                                                        new System.Xaml.XamlXmlReader(reader, schemaContext, settings);
                 root = Load(xamlXmlReader, parserContext);
                 reader.Close();