mirrors/dotnet-installer
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

Poison SBRP (#17339)

Browse source
This commit is contained in:
Ella Hathaway 2023-10-20 11:19:03 -07:00 committed by GitHub
parent 7c50a5c83c
commit 7f1c8c7b3d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 62 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

48
src/SourceBuild/content/eng/tools/tasks/Microsoft.DotNet.SourceBuild.Tasks.LeakDetection/CheckForPoison.cs
View file

@ -12,8 +12,11 @@ using System.IO;
using System.IO.Compression; using System.IO.Compression;
using System.Linq; using System.Linq;
using System.Reflection; using System.Reflection;
using System.Reflection.Metadata;
using System.Reflection.PortableExecutable;
using System.Security.Cryptography; using System.Security.Cryptography;
using System.Text; using System.Text;
using System.Text.RegularExpressions;
using System.Xml; using System.Xml;
using System.Xml.Linq; using System.Xml.Linq;
@ -147,6 +150,10 @@ namespace Microsoft.DotNet.SourceBuild.Tasks.LeakDetection
private const string PoisonMarker = "POISONED"; private const string PoisonMarker = "POISONED";
private const string SbrpAttributeType = "System.Reflection.AssemblyMetadataAttribute";
private const string SbrpAttributeValuePattern = "source\\s?source\\-build\\-reference\\-packages";
private record CandidateFileEntry(string ExtractedPath, string DisplayPath); private record CandidateFileEntry(string ExtractedPath, string DisplayPath);
public override bool Execute() public override bool Execute()
@ -298,7 +305,11 @@ namespace Microsoft.DotNet.SourceBuild.Tasks.LeakDetection
try try
{ {
AssemblyName asm = AssemblyName.GetAssemblyName(fileToCheck); AssemblyName asm = AssemblyName.GetAssemblyName(fileToCheck);
if (IsAssemblyPoisoned(fileToCheck)) if (!candidate.DisplayPath.Contains("SourceBuildReferencePackages") && IsAssemblyFromSbrp(fileToCheck))
{
poisonEntry.Type |= PoisonType.SourceBuildReferenceAssembly;
}
else if (IsAssemblyPoisoned(fileToCheck))
{ {
poisonEntry.Type |= PoisonType.AssemblyAttribute; poisonEntry.Type |= PoisonType.AssemblyAttribute;
} }
@ -332,6 +343,41 @@ namespace Microsoft.DotNet.SourceBuild.Tasks.LeakDetection
return false; return false;
} }
private static bool IsAssemblyFromSbrp(string assemblyPath)
{
using var stream = new FileStream(assemblyPath, FileMode.Open, FileAccess.Read, FileShare.ReadWrite);
using var peReader = new PEReader(stream);
MetadataReader reader = peReader.GetMetadataReader();
return reader.CustomAttributes.Select(attrHandle => reader.GetCustomAttribute(attrHandle))
.Any(attr => IsAttributeSbrp(reader, attr));
}
private static bool IsAttributeSbrp(MetadataReader reader, CustomAttribute attr)
{
string attributeType = string.Empty;
if (attr.Constructor.Kind == HandleKind.MemberReference)
{
MemberReference mref = reader.GetMemberReference((MemberReferenceHandle)attr.Constructor);
if (mref.Parent.Kind == HandleKind.TypeReference)
{
TypeReference tref = reader.GetTypeReference((TypeReferenceHandle)mref.Parent);
attributeType = $"{reader.GetString(tref.Namespace)}.{reader.GetString(tref.Name)}";
}
}
if (attributeType == SbrpAttributeType)
{
BlobReader blobReader = reader.GetBlobReader(attr.Value);
string attributeValue = Encoding.UTF8.GetString(blobReader.ReadBytes(blobReader.Length));
attributeValue = Regex.Replace(attributeValue, @"\p{C}+", string.Empty);
return Regex.IsMatch(attributeValue, SbrpAttributeValuePattern);
}
return false;
}
private static PoisonedFileEntry ExtractAndCheckZipFileOnly(IEnumerable<CatalogPackageEntry> catalogedPackages, CandidateFileEntry candidate, string markerFileName, string tempDir, Queue<CandidateFileEntry> futureFilesToCheck) private static PoisonedFileEntry ExtractAndCheckZipFileOnly(IEnumerable<CatalogPackageEntry> catalogedPackages, CandidateFileEntry candidate, string markerFileName, string tempDir, Queue<CandidateFileEntry> futureFilesToCheck)
{ {
var poisonEntry = new PoisonedFileEntry(); var poisonEntry = new PoisonedFileEntry();

1
src/SourceBuild/content/eng/tools/tasks/Microsoft.DotNet.SourceBuild.Tasks.LeakDetection/PoisonType.cs
View file

@ -11,5 +11,6 @@ namespace Microsoft.DotNet.SourceBuild.Tasks.LeakDetection
Hash = 1, Hash = 1,
AssemblyAttribute = 2, AssemblyAttribute = 2,
NupkgFile = 4, NupkgFile = 4,
SourceBuildReferenceAssembly = 8,
} }
} }

15
src/SourceBuild/content/test/Microsoft.DotNet.SourceBuild.SmokeTests/assets/baselines/PoisonUsage.txt
View file

@ -1 +1,14 @@
<PrebuiltLeakReport /> <PrebuiltLeakReport>
<File Path="artifacts/x64/Release/dotnet-sdk-x.y.z-banana-rid.tar.gz/sdk/x.y.z/DotnetTools/dotnet-format/Microsoft.Bcl.AsyncInterfaces.dll">
<Type>SourceBuildReferenceAssembly</Type>
</File>
<File Path="artifacts/x64/Release/Private.SourceBuilt.Artifacts.x.y.z/dotnet-format.x.y.z.nupkg/tools/netx.y/any/Microsoft.Bcl.AsyncInterfaces.dll">
<Type>SourceBuildReferenceAssembly</Type>
</File>
<File Path="artifacts/x64/Release/Private.SourceBuilt.Artifacts.x.y.z/Microsoft.TestPlatform.CLI.x.y.z/contentFiles/any/netx.y/Microsoft.Extensions.DependencyModel.dll">
<Type>SourceBuildReferenceAssembly</Type>
</File>
<File Path="artifacts/x64/Release/Private.SourceBuilt.Artifacts.x.y.z/Microsoft.TestPlatform.CLI.x.y.z/contentFiles/any/netx.y/Microsoft.Extensions.FileSystemGlobbing.dll">
<Type>SourceBuildReferenceAssembly</Type>
</File>
</PrebuiltLeakReport>