protected virtual bool IsProjectSafeWithImports(out string securityErrorMessage)
{
securityErrorMessage = String.Empty;
// Now get the directly imports and do the comparision.
string[] directImports = this.securityCheckHelper.GetDirectlyImportedProjects(this.projectShim);
if (directImports != null && directImports.Length > 0)
{
IList <string> safeImportList = ProjectSecurityChecker.GetSafeImportList();
for (int i = 0; i < directImports.Length; i++)
{
string fileToCheck = directImports[i];
if (!ProjectSecurityChecker.IsSafeImport(safeImportList, fileToCheck))
{
using (RegistryKey root = VSRegistry.RegistryRoot(__VsLocalRegistryType.RegType_Configuration))
{
securityErrorMessage = String.Format(CultureInfo.CurrentCulture, SR.GetString(SR.DetailsImport, CultureInfo.CurrentUICulture), Path.GetFileName(this.projectShim.FullFileName), fileToCheck, Path.Combine(root.Name, SafeImportsSubkey));
}
return(false);
}
}
}
return(true);
}
public virtual bool IsProjectSafeAtLoadTime(out string securityErrorMessage)
{
securityErrorMessage = String.Empty;
StringBuilder securityMessageMaker = new StringBuilder();
int counter = 0;
string tempMessage;
// STEP 1: Check direct imports.
if (!this.IsProjectSafeWithImports(out tempMessage))
{
ProjectSecurityChecker.FormatMessage(securityMessageMaker, ++counter, tempMessage);
securityErrorMessage = tempMessage;
}
// STEP 2: Check dangerous properties
if (!this.IsProjectSafeWithProperties(out tempMessage))
{
ProjectSecurityChecker.FormatMessage(securityMessageMaker, ++counter, tempMessage);
securityErrorMessage = tempMessage;
}
// STEP 3: Check dangerous targets
if (!this.IsProjectSafeWithTargets(out tempMessage))
{
ProjectSecurityChecker.FormatMessage(securityMessageMaker, ++counter, tempMessage);
securityErrorMessage = tempMessage;
}
// STEP 4: Check dangerous items
if (!this.IsProjectSafeWithItems(out tempMessage))
{
ProjectSecurityChecker.FormatMessage(securityMessageMaker, ++counter, tempMessage);
securityErrorMessage = tempMessage;
}
// STEP 5: Check UsingTask tasks
if (!this.IsProjectSafeWithUsingTasks(out tempMessage))
{
ProjectSecurityChecker.FormatMessage(securityMessageMaker, ++counter, tempMessage);
securityErrorMessage = tempMessage;
}
// STEP 6: Check for items defined within the LoadTimeCheckItemLocation, whether they are defined in safe locations
if (!this.CheckItemsLocation(out tempMessage))
{
securityMessageMaker.AppendFormat(CultureInfo.CurrentCulture, "{0}: ", (++counter).ToString(CultureInfo.CurrentCulture));
securityMessageMaker.AppendLine(tempMessage);
securityErrorMessage = tempMessage;
}
if (counter > 1)
{
securityErrorMessage = securityMessageMaker.ToString();
}
return(String.IsNullOrEmpty(securityErrorMessage));
}
/// <summary>
/// Checks the project for security. If there is a security violation a dialog box will be popped asking the user for
/// either open the project for browsing, or open it normally, or cancel project loading.
/// </summary>
/// <param name="projectSecurityChecker">An instance of the project security object.</param>
/// <param name="userProjectSecurityChecker">An instance of the user project security object.</param>
/// <returns>Either a flag specifying to load the project normally, or not to load the project</returns>
protected virtual ProjectLoadOption CheckProjectForSecurity(ProjectSecurityChecker projectSecurityChecker, ProjectSecurityChecker userProjectSecurityChecker)
{
// We will first test on the project file and then if that is not loaded for browsing we are going to test on the user file.
ProjectLoadOption projectLoadOption = ProjectLoadOption.DonNotLoad;
string securityMessage = String.Empty;
bool isProjectSafe = projectSecurityChecker.IsProjectSafeAtLoadTime(out securityMessage);
if (!isProjectSafe)
{
projectLoadOption = this.ShowSecurityDialogBox(securityMessage);
if (projectLoadOption == ProjectLoadOption.LoadNormally)
{
if (userProjectSecurityChecker == null)
{
// The project was unsafe, and the user has opted to treat it as safe.
// Mark the project as "Trusted" in the .SUO file, so we never have to
// go through all this again.
this.package.SetProjectTrustLevel(this.projectIdGuid, ProjectTrustLevel.Trusted);
}
else
{
// If we have a user project we will have to redo all this, since that Load Normally was meant only for the project file.
projectLoadOption = this.CheckProjectForSecurity(userProjectSecurityChecker, null);
if (projectLoadOption == ProjectLoadOption.LoadNormally)
{
this.package.SetProjectTrustLevel(this.projectIdGuid, ProjectTrustLevel.Trusted);
}
}
}
}
else
{
// If we have a user file do teh check there too.
if (userProjectSecurityChecker != null)
{
projectLoadOption = this.CheckProjectForSecurity(userProjectSecurityChecker, null);
}
else
{
projectLoadOption = ProjectLoadOption.LoadNormally;
}
}
return projectLoadOption;
}
