Add Xml default resolver parameter for XslCompiledTransform.Transform #8655
Conversation
There was a problem hiding this comment.
Looks good, security approved offline.
I have few minor things for consideration
-
FEATURE_COMPILED_XSLremoval -
Do we actually need to explictly opt-in in our code via?
AppContext.SetSwitch("Switch.System.Xml.AllowDefaultResolver", true);- Additionaly - it was advised to us offline that it'd be nice to log a message pointing to the doc (https://aka.ms/msbuild/xsltransformation-task) in case the
UseTrustedSettingsis opted in (so that users are pointed to the further details, informing about security implications and considerations).
…g log or binlog. And the recursively (concatenated) error in the error message.
|
Thanks @JaynieBai for updating this PR. Can you please as well add the info log message when the This was suggested by security during the approval for this. The formulation can be something like: |
Have added the log before the transform. Here is output |
src/Tasks/Resources/Strings.resx
Outdated
| @@ -2329,6 +2329,9 @@ | |||
| </data> | |||
| <data name="XslTransform.UseTrustedSettings" xml:space="preserve"> | |||
| <value>The usage of the document() method and embedded scripts is prohibited by default, due to risks of foreign code execution. If "{0}" is a trusted source that requires those constructs, please set the "UseTrustedSettings" parameter to "true" to allow their execution.</value> | |||
| </data> | |||
| <data name="XslTransform.SecuritySettingsViaUseTrustedSettings" xml:space="preserve"> | |||
| <value>You are enabling relaxed XSLT security settings via UseTrustedSettings parameter. For more details on security implications of this settings please see https://aka.ms/msbuild/xsltransformation-task</value> | |||
There was a problem hiding this comment.
| <value>You are enabling relaxed XSLT security settings via UseTrustedSettings parameter. For more details on security implications of this settings please see https://aka.ms/msbuild/xsltransformation-task</value> | |
| <value>You are enabling relaxed XSLT security settings via the UseTrustedSettings parameter. For more details on security implications of this setting please see https://aka.ms/msbuild/xsltransformation-task</value> |
| for (int i = 0; i < xmlinput.Count; i++) | ||
| { | ||
| using (XmlWriter xmlWriter = XmlWriter.Create(_outputPaths[i].ItemSpec, xslct.OutputSettings)) | ||
| { | ||
| using (XmlReader xr = xmlinput.CreateReader(i)) | ||
| { | ||
| xslct.Transform(xr, arguments, xmlWriter); | ||
| xslct.Transform(xr, arguments, xmlWriter, new XmlUrlResolver()); |
There was a problem hiding this comment.
It feels weird to me to always pass the resolver, even when not trusted. I see though that it's also always passed to the constructors of the XslCompiledTransform.
Should we pass it only when UseTrustedSettings is true?
There was a problem hiding this comment.
Since .NET Core does not allow resolving external URIs for XML by default. So, add that default resolver explicitly. If the UseTrustedSettings is false, it won't allow the XSLT document() function. The XmlUrlResolver that resolves the document function won't work.
If the UseTrustedSettings is false and there is document, it will report the following error before resolve the document.
…into jennybai/issue8570
|
I'm sorry to bother you, but how and when does this fix get delivered? I see the fix was merged almost 2 months ago, but the Azure DevOps build is still failing, as is my local build. The ADO build and my local build report using MSBuild version 17.6.8+c70978d4d for .NET |
|
@edstegman the fix will be in MSBuild 17.7, which will release with Visual Studio 17.7 "soon". |
Fixes #8570 part 1
Context
UseTrustedSettings parameter for XslTransformation task is ignored when using dotnet build since the resolver is not setting.
Changes Made
Use an XslCompiledTransform.Transform overload that takes an XmlResolver parameter.
Add the info log message when the UseTrustedSettings is opted-in on the Task
Testing
Enable the earlier disabled test XslDocumentFunctionWorks() on net7.0
Notes