Generate an error or warning when building under the downloads folder #45342
Comments
dotnet-issue-labeler
bot
added
Area-NetSDK
untriaged
Forgind
added
needs team triage
|
|
|
@dotnet/msbuild @dsplaisted we should have a discussion on this one of the best path forward. Should we block? Should we buildcheck/warn? Does this have to be done in msbuild land? |
|
@JanKrivanek has already developed a custom build check to track invalid location: It's available in this nuget, you can give it a try right away |
|
Ooh, very cool. It's already there. Are there plans to add this to the built-in buildchecks? |
|
@JanKrivanek thoughts on including this as a built-in eventually? |
|
Detecting Downloads folder is surprisingly complicated - so I'm not sure we want to have it as a default diagnostic, but a built-in buildcheck sounds fine. More general version of this check is "You are importing logic that is outside of the root of your solution/repository/..." This is just one of many security footguns that MSBuild can bring - we have a due to openly document those (dotnet/msbuild#10739) - so that we can then start pointing users from such new diagnostics to more comprehensive overview, so that we prevent false sense of security by preventing just some of those (we cannot prevent everything that is dangerous as extensibility points are vital part of MSBuild. Over time I'm hoping to collect more tel around usage of various extensibility points and start flipping the more esoteric ones to explicit opt-in mode) |
|
@JanKrivanek my understanding is that there is already a buildcheck for this. What are the plans to add that included in the built-in ones? |
|
This is not currently planned (other areas of investments are getting precedence in a near future). But I'll try to find same spare time to copy it to built-in checks - stay tunned :-) |
|
@JanKrivanek buildchecks run after the build has completed? Daniel points out that this would be too late if there were something malicious going on. Could msbuild startup code potentially block this entirely (unless an env is set) and is that something you'd want to consider? |
Building a project under the downloads folder is not very safe. This is because of things like Directory.Build.props, which mean that you need to trust all of the parent folders of your source code up to the root. Most browsers will download files to the downloads folder with no additional confirmation when you click a link, so a malicious link could put a Directory.Build.props file in your downloads folder, and then execute code in your build when you subsequently built a project that had been downloaded (or extracted) under the downloads folder.
We should probably fail outright, or at least warn, when trying to build a project under the Downloads folder.
This probably makes sense to be an MSBuild feature. Possibly it should be a BuildCheck, but maybe it should just be built into MSBuild by default before it even tries to start the build.
The text was updated successfully, but these errors were encountered: