8000 Remove SafeReflectionInvoker Part 2 by ThomasGoulet73 · Pull Request #7485 · dotnet/wpf · GitHub
[go: up one dir, main page]
Skip to content

Remove SafeReflectionInvoker Part 2 #7485

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 18, 2024
Merged

Remove SafeReflectionInvoker Part 2 #7485

merged 1 commit into from
Dec 18, 2024

Conversation

ThomasGoulet73
Copy link
Contributor
@ThomasGoulet73 ThomasGoulet73 commented Feb 1, 2023
edited by ghost
Loading

Follow up to #6693

Description

Removes the remaining methods from SafeReflectionInvoker which was reverted in #6693 because of this comment: #6693 (comment)

@dipeshmsft Let me know if/when you have more details about whether or not this is safe to do. My personal opinion is that this is a reasonable change to do because it is not part of the public API.

Customer Impact

See "Risk".

Regression

No.

Testing

Local build + CI.

Risk

Low. There is a risk that an application uses this internal API which could be considered a breaking change that falls in Bucket 4 in the dotnet/runtime documentation.

Microsoft Reviewers: Open in CodeFlow

@ThomasGoulet73 ThomasGoulet73 requested a review from a team as a code owner February 1, 2023 03:51
@ghost ghost assigned ThomasGoulet73 Feb 1, 2023
@ghost ghost added the PR metadata: Label to tag PRs, to facilitate with triage label Feb 1, 2023
@ghost ghost requested review from dipeshmsft and singhashish-wpf February 1, 2023 03:52
@ghost ghost added the Community Contribution A label for all community Contributions label Feb 1, 2023
@ThomasGoulet73 ThomasGoulet73 force-pushed the remove-SafeReflectionInvoker-part2 branch from 5c6c63d to c2174ce Compare May 1, 2024 02:06
@ThomasGoulet73
Copy link
Contributor Author

I rebased to fix the conflicts.

@h3xds1nz
Copy link
Member

Just putting some context on why this is a purely CAS thing, now a dead code (even in NetFX after at least 4.6):

IsInSystemXaml / IsSystemXamlNonPublic:

/// Critical: Used to detect luring attack described in class-level comments.
/// Safe: Gets the information from reflection.
///       The MethodInfo (and MemberInfo) have an InheritanceDemand so derived class
///       spoofing in PT is not an issue.

Class-level comments:

/// <SecurityNote>
/// All invocation of user-provided reflection objects inside System.Xaml should be routed through this class.
///
/// Invoking a reflection object directly from this class (or any class in System.Xaml)
/// could potentially expose internal types or methods in System.Xaml, because
/// mscorlib sees the invocation as coming from System.Xaml.  Instead, we do
/// the invocation from a dynamic assembly created for this purpose.  Because
/// the wrapper methods 
8000
live in a separate assembly (with no internals) and are
/// marked as security-transparent, the security checks in mscorlib will treat
/// attempts to use internals of System.xaml the same as it treats attempts to
/// use internals of any other assembly; i.e. the caller (that is, the user's
/// application) must have the appropriate permissions.
///
/// This class exposes proxy methods for each of the reflection methods we need.
/// The static constructor creates the dynamic assembly and populates it with
/// the wrapper methods that actually call into reflection code.  The proxy
/// methods in this class merely call the corresponding dynamic wrapper methods.
///
/// The dynamic assembly technique turns out to have perf implications - it loads
/// parts of mscorlib and clr that are otherwise unneeded (for Reflection.Emit et al.),
/// and requires JIT compilation of the resulting IL.  We don't need the elaborate
/// techinique in full-trust scenarios (a malicious full-trust app can already
/// invoke internals just by calling reflection directly).  So in full-trust we
/// use the old code.
/// </SecurityNote>

and from XamlMemberInvoker (which further confirms a check like this is no longer ever needed):

/// This class makes the assumption that any internal ShouldSerialize methods in System.Xaml are safe
/// for public invocation. If this becomes untrue, then ShouldSerializeValue needs an IsSystemXamlNonPublic
/// check, just like GetValue and SetValue have.

@dipeshmsft
Copy link
Member

Hey @ThomasGoulet73, after going through your and @h3xds1nz comments, we are ready to take this PR. Can you resolve the merge conflicts for this PR.

@ThomasGoulet73 ThomasGoulet73 force-pushed the remove-SafeReflectionInvoker-part2 branch from c2174ce to 5ea19f6 Compare December 17, 2024 23:38
@ThomasGoulet73 ThomasGoulet73 requested a review from a team as a code owner December 17, 2024 23:38
@ThomasGoulet73
Copy link
Contributor Author

Done.

@dipeshmsft dipeshmsft merged commit f887fba into dotnet:main Dec 18, 2024
8 checks passed
@dipeshmsft
Copy link
Member

Thank you @ThomasGoulet73.

@ThomasGoulet73 ThomasGoulet73 deleted the remove-SafeReflectionInvoker-part2 branch December 18, 2024 14:56
@github-actions github-actions bot locked and limited conversation to collaborators Jan 18, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@dipeshmsft dipeshmsft dipeshmsft approved these changes

@singhashish-wpf singhashish-wpf Awaiting requested review from singhashish-wpf

Assignees

@ThomasGoulet73 ThomasGoulet73

Labels
Community Contribution A label for all community Contributions PR metadata: Label to tag PRs, to facilitate with triage
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ThomasGoulet73 @h3xds1nz @dipeshmsft @harshit7962
0