From b86ba5b25bceb93cf895353117b22b0acea29a2b Mon Sep 17 00:00:00 2001 From: Krishna Yalavarthi Date: Wed, 18 Nov 2020 17:57:57 -0800 Subject: [PATCH 01/15] Potential defense in depth fix --- .../commands/utility/New-Object.cs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs b/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs index b40b53952f0..b96d9a9d1bd 100644 --- a/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs +++ b/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs @@ -189,7 +189,8 @@ protected override void BeginProcessing() targetObject: null)); } - if (Context.LanguageMode == PSLanguageMode.ConstrainedLanguage) + if (Context.LanguageMode == PSLanguageMode.ConstrainedLanguage || + (Context.LanguageMode == PSLanguageMode.NoLanguage && SystemPolicy.GetSystemLockdownPolicy() == SystemEnforcementMode.Enforce) ) { if (!CoreTypes.Contains(type)) { From 922284074e0cc9a2862d3d1ecad2750cb661422a Mon Sep 17 00:00:00 2001 From: Krishna Yalavarthi Date: Wed, 18 Nov 2020 18:16:03 -0800 Subject: [PATCH 02/15] Indentation fix --- .../commands/utility/New-Object.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs b/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs index b96d9a9d1bd..ecdbae8c31c 100644 --- a/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs +++ b/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs @@ -190,7 +190,7 @@ protected override void BeginProcessing() } if (Context.LanguageMode == PSLanguageMode.ConstrainedLanguage || - (Context.LanguageMode == PSLanguageMode.NoLanguage && SystemPolicy.GetSystemLockdownPolicy() == SystemEnforcementMode.Enforce) ) + (Context.LanguageMode == PSLanguageMode.NoLanguage && SystemPolicy.GetSystemLockdownPolicy() == SystemEnforcementMode.Enforce)) { if (!CoreTypes.Contains(type)) { From 84cf633cd067ac5ea30fdcdced2b2facfd28b2ea Mon Sep 17 00:00:00 2001 From: Krishna Yalavarthi Date: Wed, 18 Nov 2020 21:29:51 -0800 Subject: [PATCH 03/15] SystemPolicy error fixed --- .../commands/utility/New-Object.cs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs b/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs index ecdbae8c31c..a0d79c6296d 100644 --- a/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs +++ b/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs @@ -190,7 +190,8 @@ protected override void BeginProcessing() } if (Context.LanguageMode == PSLanguageMode.ConstrainedLanguage || - (Context.LanguageMode == PSLanguageMode.NoLanguage && SystemPolicy.GetSystemLockdownPolicy() == SystemEnforcementMode.Enforce)) + (Context.LanguageMode == PSLanguageMode.NoLanguage && + (System.Management.Automation.Security.SystemPolicy.GetSystemLockdownPolicy() == System.Management.Automation.Security.SystemEnforcementMode.Enforce))) { if (!CoreTypes.Contains(type)) { From 664e6473381e083576dd5cbd1fad6326e072f20f Mon Sep 17 00:00:00 2001 From: Krishna Yalavarthi Date: Wed, 18 Nov 2020 21:31:13 -0800 Subject: [PATCH 04/15] Indentation --- .../commands/utility/New-Object.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs b/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs index a0d79c6296d..b3658958ddf 100644 --- a/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs +++ b/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs @@ -191,7 +191,7 @@ protected override void BeginProcessing() if (Context.LanguageMode == PSLanguageMode.ConstrainedLanguage || (Context.LanguageMode == PSLanguageMode.NoLanguage && - (System.Management.Automation.Security.SystemPolicy.GetSystemLockdownPolicy() == System.Management.Automation.Security.SystemEnforcementMode.Enforce))) + (System.Management.Automation.Security.SystemPolicy.GetSystemLockdownPolicy() == System.Management.Automation.Security.SystemEnforcementMode.Enforce))) { if (!CoreTypes.Contains(type)) { From 497164dd8cceecba56b8651631356609b85996bd Mon Sep 17 00:00:00 2001 From: Krishna Yalavarthi Date: Tue, 24 Nov 2020 15:38:07 -0800 Subject: [PATCH 05/15] restricted language check performed --- .../commands/utility/New-Object.cs | 26 ++++++++++++++++--- .../resources/NewObjectStrings.resx | 6 +++++ 2 files changed, 29 insertions(+), 3 deletions(-) diff --git a/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs b/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs index b3658958ddf..d0f52b2cd2a 100644 --- a/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs +++ b/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs @@ -189,9 +189,7 @@ protected override void BeginProcessing() targetObject: null)); } - if (Context.LanguageMode == PSLanguageMode.ConstrainedLanguage || - (Context.LanguageMode == PSLanguageMode.NoLanguage && - (System.Management.Automation.Security.SystemPolicy.GetSystemLockdownPolicy() == System.Management.Automation.Security.SystemEnforcementMode.Enforce))) + if (Context.LanguageMode == PSLanguageMode.ConstrainedLanguage) { if (!CoreTypes.Contains(type)) { @@ -201,6 +199,28 @@ protected override void BeginProcessing() } } + if (Context.LanguageMode == PSLanguageMode.NoLanguage && + (System.Management.Automation.Security.SystemPolicy.GetSystemLockdownPolicy() == System.Management.Automation.Security.SystemEnforcementMode.Enforce)) + { + if (!CoreTypes.Contains(type)) + { + ThrowTerminatingError( + new ErrorRecord( + new PSNotSupportedException(NewObjectStrings.CannotCreateTypeNoLanguage), "CannotCreateTypeNoLanguage", ErrorCategory.PermissionDenied, null)); + } + } + + if (Context.LanguageMode == PSLanguageMode.RestrictedLanguage && + (System.Management.Automation.Security.SystemPolicy.GetSystemLockdownPolicy() == System.Management.Automation.Security.SystemEnforcementMode.Enforce)) + { + if (!CoreTypes.Contains(type)) + { + ThrowTerminatingError( + new ErrorRecord( + new PSNotSupportedException(NewObjectStrings.CannotCreateTypeRestrictedLanguage), "CannotCreateTypeRestrictedLanguage", ErrorCategory.PermissionDenied, null)); + } + } + // WinRT does not support creating instances of attribute & delegate WinRT types. if (WinRTHelper.IsWinRTType(type) && ((typeof(System.Attribute)).IsAssignableFrom(type) || (typeof(System.Delegate)).IsAssignableFrom(type))) { diff --git a/src/Microsoft.PowerShell.Commands.Utility/resources/NewObjectStrings.resx b/src/Microsoft.PowerShell.Commands.Utility/resources/NewObjectStrings.resx index 63b4271c382..3d57fa2711f 100644 --- a/src/Microsoft.PowerShell.Commands.Utility/resources/NewObjectStrings.resx +++ b/src/Microsoft.PowerShell.Commands.Utility/resources/NewObjectStrings.resx @@ -144,6 +144,12 @@ Cannot create type. Only core types are supported in this language mode. + + Cannot create type. Only core types are supported in NoLanguage mode on a policy locked down machine. + + + Cannot create type. Only core types are supported in restricted language mode on a policy locked down machine. + {0} Please note that Single-Threaded Apartment is not supported in PowerShell. From 48c887af777b7b7c9742d2567ef4ffc0cf30e830 Mon Sep 17 00:00:00 2001 From: Krishna Yalavarthi Date: Tue, 1 Dec 2020 18:59:44 -0800 Subject: [PATCH 06/15] Indentation --- .../commands/utility/New-Object.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs b/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs index d0f52b2cd2a..bf667ef3922 100644 --- a/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs +++ b/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs @@ -345,7 +345,7 @@ protected override void BeginProcessing() // Win8:649519 comObject = LanguagePrimitives.SetObjectProperties(comObject, Property, type, CreateMemberNotFoundError, CreateMemberSetValueError, enableMethodCall: true); } - + WriteObject(comObject); } #endif From 1da8610a688b9d26fcbe9d52dc4ab82e74ed3f28 Mon Sep 17 00:00:00 2001 From: Krishna Yalavarthi Date: Tue, 1 Dec 2020 19:00:23 -0800 Subject: [PATCH 07/15] Indentation --- .../commands/utility/New-Object.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs b/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs index bf667ef3922..d0f52b2cd2a 100644 --- a/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs +++ b/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs @@ -345,7 +345,7 @@ protected override void BeginProcessing() // Win8:649519 comObject = LanguagePrimitives.SetObjectProperties(comObject, Property, type, CreateMemberNotFoundError, CreateMemberSetValueError, enableMethodCall: true); } - + WriteObject(comObject); } #endif From 4986598905ca1becc2804d881d614e18da9ece2e Mon Sep 17 00:00:00 2001 From: Krishna Yalavarthi Date: Thu, 3 Dec 2020 11:42:59 -0800 Subject: [PATCH 08/15] Code reorg --- .../commands/utility/New-Object.cs | 2 -- .../resources/NewObjectStrings.resx | 7 ++----- 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs b/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs index d0f52b2cd2a..9253c24dfd6 100644 --- a/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs +++ b/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs @@ -10,9 +10,7 @@ using System.Management.Automation; using System.Management.Automation.Internal; using System.Management.Automation.Language; -#if !UNIX using System.Management.Automation.Security; -#endif using System.Reflection; using System.Runtime.InteropServices; #if !UNIX diff --git a/src/Microsoft.PowerShell.Commands.Utility/resources/NewObjectStrings.resx b/src/Microsoft.PowerShell.Commands.Utility/resources/NewObjectStrings.resx index 3d57fa2711f..07c2a6d8c9e 100644 --- a/src/Microsoft.PowerShell.Commands.Utility/resources/NewObjectStrings.resx +++ b/src/Microsoft.PowerShell.Commands.Utility/resources/NewObjectStrings.resx @@ -144,11 +144,8 @@ Cannot create type. Only core types are supported in this language mode. - - Cannot create type. Only core types are supported in NoLanguage mode on a policy locked down machine. - - - Cannot create type. Only core types are supported in restricted language mode on a policy locked down machine. + + Cannot create type. Only core types are supported in {0} language mode on a policy locked down machine. {0} Please note that Single-Threaded Apartment is not supported in PowerShell. From bc76b39b556ebdefb6f46ba91a4a8e127175f06c Mon Sep 17 00:00:00 2001 From: Krishna Yalavarthi Date: Thu, 3 Dec 2020 11:46:57 -0800 Subject: [PATCH 09/15] code reorg --- .../commands/utility/New-Object.cs | 32 +++++++++---------- 1 file changed, 15 insertions(+), 17 deletions(-) diff --git a/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs b/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs index 9253c24dfd6..8e1e1a1d585 100644 --- a/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs +++ b/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs @@ -197,25 +197,23 @@ protected override void BeginProcessing() } } - if (Context.LanguageMode == PSLanguageMode.NoLanguage && - (System.Management.Automation.Security.SystemPolicy.GetSystemLockdownPolicy() == System.Management.Automation.Security.SystemEnforcementMode.Enforce)) + if (SystemPolicy.GetSystemLockdownPolicy() == SystemEnforcementMode.Enforce) { - if (!CoreTypes.Contains(type)) - { - ThrowTerminatingError( - new ErrorRecord( - new PSNotSupportedException(NewObjectStrings.CannotCreateTypeNoLanguage), "CannotCreateTypeNoLanguage", ErrorCategory.PermissionDenied, null)); - } - } - - if (Context.LanguageMode == PSLanguageMode.RestrictedLanguage && - (System.Management.Automation.Security.SystemPolicy.GetSystemLockdownPolicy() == System.Management.Automation.Security.SystemEnforcementMode.Enforce)) - { - if (!CoreTypes.Contains(type)) + switch (Context.LanguageMode) { - ThrowTerminatingError( - new ErrorRecord( - new PSNotSupportedException(NewObjectStrings.CannotCreateTypeRestrictedLanguage), "CannotCreateTypeRestrictedLanguage", ErrorCategory.PermissionDenied, null)); + case PSLanguageMode.NoLanguage: + case PSLanguageMode.RestrictedLanguage: + if (!CoreTypes.Contains(type)) + { + ThrowTerminatingError( + new ErrorRecord( + new PSNotSupportedException( + string.Format(NewObjectStrings.CannotCreateTypeLanguageMode, Context.LanguageMode.ToString())), + nameof(NewObjectStrings.CannotCreateTypeLanguageMode), + ErrorCategory.PermissionDenied, + targetObject: null)); + } + break; } } From 46d8da91d26a862873dcbd733300e9be9519db00 Mon Sep 17 00:00:00 2001 From: Krishna Yalavarthi Date: Thu, 3 Dec 2020 11:55:55 -0800 Subject: [PATCH 10/15] Indentation --- .../commands/utility/New-Object.cs | 1 + 1 file changed, 1 insertion(+) diff --git a/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs b/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs index 8e1e1a1d585..364ddf077c1 100644 --- a/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs +++ b/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs @@ -213,6 +213,7 @@ protected override void BeginProcessing() ErrorCategory.PermissionDenied, targetObject: null)); } + break; } } From 27134a04742f7a3cfddc9bcff2b4d1fba64b6060 Mon Sep 17 00:00:00 2001 From: Krishna Yalavarthi Date: Thu, 3 Dec 2020 12:43:35 -0800 Subject: [PATCH 11/15] indent --- .../commands/utility/New-Object.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs b/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs index 364ddf077c1..069e930168f 100644 --- a/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs +++ b/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs @@ -217,7 +217,7 @@ protected override void BeginProcessing() break; } } - + // WinRT does not support creating instances of attribute & delegate WinRT types. if (WinRTHelper.IsWinRTType(type) && ((typeof(System.Attribute)).IsAssignableFrom(type) || (typeof(System.Delegate)).IsAssignableFrom(type))) { From d04617d56fc5c167028994b03385585bf3c12c03 Mon Sep 17 00:00:00 2001 From: Krishna Yalavarthi Date: Thu, 3 Dec 2020 12:45:29 -0800 Subject: [PATCH 12/15] Revert "indent" This reverts commit 27134a04742f7a3cfddc9bcff2b4d1fba64b6060. --- .../commands/utility/New-Object.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs b/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs index 069e930168f..364ddf077c1 100644 --- a/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs +++ b/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs @@ -217,7 +217,7 @@ protected override void BeginProcessing() break; } } - + // WinRT does not support creating instances of attribute & delegate WinRT types. if (WinRTHelper.IsWinRTType(type) && ((typeof(System.Attribute)).IsAssignableFrom(type) || (typeof(System.Delegate)).IsAssignableFrom(type))) { From 716b7b252faceb56996d790dc89b020ed504d1ad Mon Sep 17 00:00:00 2001 From: Krishna Yalavarthi Date: Thu, 3 Dec 2020 15:38:20 -0800 Subject: [PATCH 13/15] condition changed --- .../commands/utility/New-Object.cs | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs b/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs index 364ddf077c1..8e24db7ff11 100644 --- a/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs +++ b/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs @@ -197,13 +197,12 @@ protected override void BeginProcessing() } } - if (SystemPolicy.GetSystemLockdownPolicy() == SystemEnforcementMode.Enforce) + switch (Context.LanguageMode) { - switch (Context.LanguageMode) - { - case PSLanguageMode.NoLanguage: - case PSLanguageMode.RestrictedLanguage: - if (!CoreTypes.Contains(type)) + case PSLanguageMode.NoLanguage: + case PSLanguageMode.RestrictedLanguage: + if (SystemLockdownPolicy.GetSystemLockdownPolicy() == SystemEnforcementMode.Enforce + && !CoreTypes.Contains(type)) { ThrowTerminatingError( new ErrorRecord( From 707b7036be23b9406e378eaa57bce257fda02b91 Mon Sep 17 00:00:00 2001 From: Krishna Yalavarthi Date: Thu, 3 Dec 2020 15:46:35 -0800 Subject: [PATCH 14/15] COmpilation corrected --- .../commands/utility/New-Object.cs | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs b/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs index 8e24db7ff11..5992126b51d 100644 --- a/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs +++ b/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs @@ -213,8 +213,7 @@ protected override void BeginProcessing() targetObject: null)); } - break; - } + break; } // WinRT does not support creating instances of attribute & delegate WinRT types. From a8b23b287a4ef0ba822484485d30b5c0107dcbae Mon Sep 17 00:00:00 2001 From: Krishna Yalavarthi Date: Thu, 3 Dec 2020 16:01:47 -0800 Subject: [PATCH 15/15] lockdown policy error --- .../commands/utility/New-Object.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs b/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs index 5992126b51d..0b75506d0bf 100644 --- a/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs +++ b/src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs @@ -201,7 +201,7 @@ protected override void BeginProcessing() { case PSLanguageMode.NoLanguage: case PSLanguageMode.RestrictedLanguage: - if (SystemLockdownPolicy.GetSystemLockdownPolicy() == SystemEnforcementMode.Enforce + if (SystemPolicy.GetSystemLockdownPolicy() == SystemEnforcementMode.Enforce && !CoreTypes.Contains(type)) { ThrowTerminatingError(