Exemplo n.º 1
0
        protected virtual bool IsProjectSafeWithImports(out string securityErrorMessage)
        {
            securityErrorMessage = String.Empty;

            // Now get the directly imports and do the comparision.
            string[] directImports = this.securityCheckHelper.GetDirectlyImportedProjects(this.projectShim);
            if (directImports != null && directImports.Length > 0)
            {
                IList <string> safeImportList = ProjectSecurityChecker.GetSafeImportList();

                for (int i = 0; i < directImports.Length; i++)
                {
                    string fileToCheck = directImports[i];
                    if (!ProjectSecurityChecker.IsSafeImport(safeImportList, fileToCheck))
                    {
                        using (RegistryKey root = VSRegistry.RegistryRoot(__VsLocalRegistryType.RegType_Configuration))
                        {
                            securityErrorMessage = String.Format(CultureInfo.CurrentCulture, SR.GetString(SR.DetailsImport, CultureInfo.CurrentUICulture), Path.GetFileName(this.projectShim.FullFileName), fileToCheck, Path.Combine(root.Name, SafeImportsSubkey));
                        }

                        return(false);
                    }
                }
            }

            return(true);
        }
Exemplo n.º 2
0
        public virtual bool IsProjectSafeAtLoadTime(out string securityErrorMessage)
        {
            securityErrorMessage = String.Empty;

            StringBuilder securityMessageMaker = new StringBuilder();
            int           counter = 0;
            string        tempMessage;

            // STEP 1: Check direct imports.
            if (!this.IsProjectSafeWithImports(out tempMessage))
            {
                ProjectSecurityChecker.FormatMessage(securityMessageMaker, ++counter, tempMessage);
                securityErrorMessage = tempMessage;
            }

            // STEP 2: Check dangerous properties
            if (!this.IsProjectSafeWithProperties(out tempMessage))
            {
                ProjectSecurityChecker.FormatMessage(securityMessageMaker, ++counter, tempMessage);
                securityErrorMessage = tempMessage;
            }

            // STEP 3: Check dangerous targets
            if (!this.IsProjectSafeWithTargets(out tempMessage))
            {
                ProjectSecurityChecker.FormatMessage(securityMessageMaker, ++counter, tempMessage);
                securityErrorMessage = tempMessage;
            }

            // STEP 4: Check dangerous items
            if (!this.IsProjectSafeWithItems(out tempMessage))
            {
                ProjectSecurityChecker.FormatMessage(securityMessageMaker, ++counter, tempMessage);
                securityErrorMessage = tempMessage;
            }

            // STEP 5: Check UsingTask tasks
            if (!this.IsProjectSafeWithUsingTasks(out tempMessage))
            {
                ProjectSecurityChecker.FormatMessage(securityMessageMaker, ++counter, tempMessage);
                securityErrorMessage = tempMessage;
            }

            // STEP 6: Check for items defined within the LoadTimeCheckItemLocation, whether they are defined in safe locations
            if (!this.CheckItemsLocation(out tempMessage))
            {
                securityMessageMaker.AppendFormat(CultureInfo.CurrentCulture, "{0}: ", (++counter).ToString(CultureInfo.CurrentCulture));
                securityMessageMaker.AppendLine(tempMessage);
                securityErrorMessage = tempMessage;
            }

            if (counter > 1)
            {
                securityErrorMessage = securityMessageMaker.ToString();
            }

            return(String.IsNullOrEmpty(securityErrorMessage));
        }
Exemplo n.º 3
0
        /// <summary>
        /// Checks the project for security. If there is a security violation a dialog box will be popped asking the user for
        /// either open the project for browsing, or open it normally, or cancel project loading.
        /// </summary>
        /// <param name="projectSecurityChecker">An instance of the project security object.</param>
        /// <param name="userProjectSecurityChecker">An instance of the user project security object.</param>
        /// <returns>Either a flag specifying to load the project normally, or not to load the project</returns>
        protected virtual ProjectLoadOption CheckProjectForSecurity(ProjectSecurityChecker projectSecurityChecker, ProjectSecurityChecker userProjectSecurityChecker)
        {
            // We will first test on the project file and then if that is not loaded for browsing we are going to test on the user file.
            ProjectLoadOption projectLoadOption = ProjectLoadOption.DonNotLoad;
            string securityMessage = String.Empty;
            bool isProjectSafe = projectSecurityChecker.IsProjectSafeAtLoadTime(out securityMessage);
            if(!isProjectSafe)
            {
                projectLoadOption = this.ShowSecurityDialogBox(securityMessage);

                if(projectLoadOption == ProjectLoadOption.LoadNormally)
                {
                    if(userProjectSecurityChecker == null)
                    {
                        // The project was unsafe, and the user has opted to treat it as safe.
                        // Mark the project as "Trusted" in the .SUO file, so we never have to
                        // go through all this again.
                        this.package.SetProjectTrustLevel(this.projectIdGuid, ProjectTrustLevel.Trusted);
                    }
                    else
                    {
                        // If we have a user project we will have to redo all this, since that Load Normally was meant only for the project file.
                        projectLoadOption = this.CheckProjectForSecurity(userProjectSecurityChecker, null);

                        if(projectLoadOption == ProjectLoadOption.LoadNormally)
                        {
                            this.package.SetProjectTrustLevel(this.projectIdGuid, ProjectTrustLevel.Trusted);
                        }
                    }
                }
            }
            else
            {
                // If we have a user file do teh check there too.
                if(userProjectSecurityChecker != null)
                {
                    projectLoadOption = this.CheckProjectForSecurity(userProjectSecurityChecker, null);
                }
                else
                {
                    projectLoadOption = ProjectLoadOption.LoadNormally;
                }
            }

            return projectLoadOption;
        }
Exemplo n.º 4
0
 /// <summary>
 /// Make sure that we load normally and skip security checking. 
 /// This can have security impacts so do not do this in production code.
 /// </summary>
 protected override ProjectLoadOption CheckProjectForSecurity(ProjectSecurityChecker projectSecurityChecker, ProjectSecurityChecker userProjectSecurityChecker)
 {
     return ProjectLoadOption.LoadNormally;
 }