Skip to content

[msbuild] Validate extracted resource paths in UnpackLibraryResources#25911

Open
rolfbjarne wants to merge 6 commits into
mainfrom
dev/rolf/fix-zip-path-traversal
Open

[msbuild] Validate extracted resource paths in UnpackLibraryResources#25911
rolfbjarne wants to merge 6 commits into
mainfrom
dev/rolf/fix-zip-path-traversal

Conversation

@rolfbjarne

@rolfbjarne rolfbjarne commented Jul 2, 2026

Copy link
Copy Markdown
Member

Ensure that the resolved path for extracted resources stays within the intended output directory. If an embedded resource name contains path traversal sequences (e.g. '..'), the task now logs an error and skips that resource.

Ensure that the resolved path for extracted resources stays within
the intended output directory. If an embedded resource name contains
path traversal sequences (e.g. '..'), the task now logs an error and
skips that resource.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 2, 2026 12:59
@rolfbjarne rolfbjarne requested a review from mauroa as a code owner July 2, 2026 12:59

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the UnpackLibraryResources MSBuild task against path traversal by validating that embedded resources can only be extracted within the intended intermediate output subdirectory.

Changes:

  • Added a containment check for computed extraction paths in UnpackLibraryResources and logs an error when the resource would extract out-of-bounds.
  • Added a new localized error string (E7183) describing the out-of-bounds extraction attempt.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
msbuild/Xamarin.MacDev.Tasks/Tasks/UnpackLibraryResources.cs Adds extraction path containment validation and error logging before writing embedded resources to disk.
msbuild/Xamarin.Localization.MSBuild/MSBStrings.resx Introduces E7183 for the new extraction path validation error message.

Comment thread msbuild/Xamarin.MacDev.Tasks/Tasks/UnpackLibraryResources.cs
@vs-mobiletools-engineering-service2

This comment has been minimized.

@vs-mobiletools-engineering-service2

This comment has been minimized.

@vs-mobiletools-engineering-service2

This comment has been minimized.

@vs-mobiletools-engineering-service2

This comment has been minimized.

@vs-mobiletools-engineering-service2

This comment has been minimized.

@vs-mobiletools-engineering-service2

This comment has been minimized.

@rolfbjarne rolfbjarne removed the request for review from mauroa July 2, 2026 17:00
Switch from manual GetFullPath+StartsWith check to the existing
PathUtils.IsPathContained helper which also handles symlinks.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
@vs-mobiletools-engineering-service2

This comment has been minimized.

@vs-mobiletools-engineering-service2

This comment has been minimized.

@vs-mobiletools-engineering-service2

This comment has been minimized.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

Comment thread msbuild/Xamarin.MacDev.Tasks/Tasks/UnpackLibraryResources.cs Outdated
Comment thread msbuild/Xamarin.Localization.MSBuild/MSBStrings.resx Outdated
Comment thread msbuild/Xamarin.MacDev.Tasks/Tasks/UnpackLibraryResources.cs
Add tests verifying that:
- Resources with path traversal sequences are rejected with E7183.
- Valid resources are still extracted correctly.

Also update E7183 to include the computed path and target directory
in the error message for easier diagnosis.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
@vs-mobiletools-engineering-service2

This comment has been minimized.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

Comment on lines +7 to +9
using System.Reflection.Metadata;
using System.Reflection.Metadata.Ecma335;
using System.Reflection.PortableExecutable;
Comment on lines +42 to +45
// Add the embedded resource
var resourceBlob = metadataBuilder.GetOrAddBlob (content);
metadataBuilder.AddManifestResource (
ManifestResourceAttributes.Public,
@vs-mobiletools-engineering-service2

This comment has been minimized.

@vs-mobiletools-engineering-service2

This comment has been minimized.

rolfbjarne and others added 2 commits July 2, 2026 20:33
Use pre-compiled test assemblies instead of System.Reflection.Metadata
APIs to avoid type conflicts between the framework and package versions
of System.Reflection.Metadata referenced by the test project.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
…ests

These were compiled with:
  csc -target:library -out:Traversal.dll -resource:r.txt,__monotouch_content_.._sEvil.txt empty.cs
  csc -target:library -out:Valid.dll -resource:r.txt,__monotouch_content_sub_sfile.txt empty.cs

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
@vs-mobiletools-engineering-service2

This comment has been minimized.

@vs-mobiletools-engineering-service2

This comment has been minimized.

@vs-mobiletools-engineering-service2

This comment has been minimized.

@vs-mobiletools-engineering-service2

This comment has been minimized.

dalexsoto
dalexsoto previously approved these changes Jul 2, 2026
@vs-mobiletools-engineering-service2

This comment has been minimized.

@vs-mobiletools-engineering-service2

This comment has been minimized.

@vs-mobiletools-engineering-service2

This comment has been minimized.

@vs-mobiletools-engineering-service2

Copy link
Copy Markdown
Collaborator

✅ [PR Build #609bcf5] Build passed (Build macOS tests) ✅

Pipeline on Agent
Hash: 609bcf57f9bfef044f98797ae3ae14650e803c3b [PR build]

@vs-mobiletools-engineering-service2

Copy link
Copy Markdown
Collaborator

✅ API diff for current PR / commit

NET (empty diffs)

✅ API diff vs stable

NET (empty diffs)

ℹ️ Generator diff

Generator Diff: vsdrops (html) vsdrops (raw diff) gist (raw diff) - Please review changes)

Pipeline on Agent
Hash: 609bcf57f9bfef044f98797ae3ae14650e803c3b [PR build]

@vs-mobiletools-engineering-service2

This comment has been minimized.

Replace pre-compiled binary test DLLs with runtime assembly creation
using Mono.Cecil. This avoids checking in binary files and makes the
test self-contained.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
@vs-mobiletools-engineering-service2

This comment has been minimized.

@vs-mobiletools-engineering-service2

Copy link
Copy Markdown
Collaborator

🔥 [CI Build #8597525] Test results 🔥

Test results

❌ Tests failed on VSTS: test results

30 tests crashed, 0 tests failed, 0 tests passed.

Failures

❌ assembly-processing tests

🔥 Failed catastrophically on VSTS: test results - assembly-processing (no summary found).

Html Report (VSDrops) Download

❌ cecil tests

🔥 Failed catastrophically on VSTS: test results - cecil (no summary found).

Html Report (VSDrops) Download

❌ dotnettests tests (iOS)

🔥 Failed catastrophically on VSTS: test results - dotnettests_ios (no summary found).

Html Report (VSDrops) Download

❌ dotnettests tests (MacCatalyst)

🔥 Failed catastrophically on VSTS: test results - dotnettests_maccatalyst (no summary found).

Html Report (VSDrops) Download

❌ dotnettests tests (macOS)

🔥 Failed catastrophically on VSTS: test results - dotnettests_macos (no summary found).

Html Report (VSDrops) Download

❌ dotnettests tests (Multiple platforms)

🔥 Failed catastrophically on VSTS: test results - dotnettests_multiple (no summary found).

Html Report (VSDrops) Download

❌ dotnettests tests (tvOS)

🔥 Failed catastrophically on VSTS: test results - dotnettests_tvos (no summary found).

Html Report (VSDrops) Download

❌ framework tests

🔥 Failed catastrophically on VSTS: test results - framework (no summary found).

Html Report (VSDrops) Download

❌ fsharp tests

🔥 Failed catastrophically on VSTS: test results - fsharp (no summary found).

Html Report (VSDrops) Download

❌ generator tests

🔥 Failed catastrophically on VSTS: test results - generator (no summary found).

Html Report (VSDrops) Download

❌ interdependent-binding-projects tests

🔥 Failed catastrophically on VSTS: test results - interdependent-binding-projects (no summary found).

Html Report (VSDrops) Download

❌ introspection tests

🔥 Failed catastrophically on VSTS: test results - introspection (no summary found).

Html Report (VSDrops) Download

❌ linker tests (iOS)

🔥 Failed catastrophically on VSTS: test results - linker_ios (no summary found).

Html Report (VSDrops) Download

❌ linker tests (MacCatalyst)

🔥 Failed catastrophically on VSTS: test results - linker_maccatalyst (no summary found).

Html Report (VSDrops) Download

❌ linker tests (macOS)

🔥 Failed catastrophically on VSTS: test results - linker_macos (no summary found).

Html Report (VSDrops) Download

❌ linker tests (tvOS)

🔥 Failed catastrophically on VSTS: test results - linker_tvos (no summary found).

Html Report (VSDrops) Download

❌ monotouch tests (iOS)

🔥 Failed catastrophically on VSTS: test results - monotouch_ios (no summary found).

Html Report (VSDrops) Download

❌ monotouch tests (MacCatalyst)

🔥 Failed catastrophically on VSTS: test results - monotouch_maccatalyst (no summary found).

Html Report (VSDrops) Download

❌ monotouch tests (macOS)

🔥 Failed catastrophically on VSTS: test results - monotouch_macos (no summary found).

Html Report (VSDrops) Download

❌ monotouch tests (tvOS)

🔥 Failed catastrophically on VSTS: test results - monotouch_tvos (no summary found).

Html Report (VSDrops) Download

❌ msbuild tests

🔥 Failed catastrophically on VSTS: test results - msbuild (no summary found).

Html Report (VSDrops) Download

❌ sharpie tests

🔥 Failed catastrophically on VSTS: test results - sharpie (no summary found).

Html Report (VSDrops) Download

❌ windows tests

🔥 Failed catastrophically on VSTS: test results - windows (no summary found).

Html Report (VSDrops) Download

❌ xcframework tests

🔥 Failed catastrophically on VSTS: test results - xcframework (no summary found).

Html Report (VSDrops) Download

❌ xtro tests

🔥 Failed catastrophically on VSTS: test results - xtro (no summary found).

Html Report (VSDrops) Download

❌ Tests on macOS Monterey (12) tests

🔥 Failed catastrophically on VSTS: test results - mac_monterey (no summary found).

Html Report (VSDrops) Download

❌ Tests on macOS Ventura (13) tests

🔥 Failed catastrophically on VSTS: test results - mac_ventura (no summary found).

Html Report (VSDrops) Download

❌ Tests on macOS Sonoma (14) tests

🔥 Failed catastrophically on VSTS: test results - mac_sonoma (no summary found).

Html Report (VSDrops) Download

❌ Tests on macOS Sequoia (15) tests

🔥 Failed catastrophically on VSTS: test results - mac_sequoia (no summary found).

Html Report (VSDrops) Download

❌ Tests on macOS Tahoe (26) tests

🔥 Failed catastrophically on VSTS: test results - mac_tahoe (no summary found).

Html Report (VSDrops) Download

Successes

macOS tests

Linux Build Verification

Linux build failed

Pipeline on Agent
Hash: 8597525c5bf8583850d071306501405a05e79273 [PR build]

@vs-mobiletools-engineering-service2

Copy link
Copy Markdown
Collaborator

🔥 [PR Build #8597525] Build failed (Detect API changes) 🔥

Build failed for the job 'Detect API changes' (with job status 'Failed')

Pipeline on Agent
Hash: 8597525c5bf8583850d071306501405a05e79273 [PR build]

@vs-mobiletools-engineering-service2

Copy link
Copy Markdown
Collaborator

🔥 [PR Build #8597525] Build failed (Build packages) 🔥

Build failed for the job 'Build packages' (with job status 'Failed')

Pipeline on Agent
Hash: 8597525c5bf8583850d071306501405a05e79273 [PR build]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants