Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Address Windows recommendations for Link APIs #58592

Merged
merged 6 commits into from
Sep 10, 2021
Merged

Address Windows recommendations for Link APIs #58592

merged 6 commits into from
Sep 10, 2021

Conversation

jozkee
Copy link
Member

@jozkee jozkee commented Sep 2, 2021
edited
Loading

  • 1ce2f30: Even though REPARSE_DATA_BUFFER's PrintName is more end-user-friendly vs SubstituteName, there's no guarantee that NT prefix (\??\) won't be there, we got recommended that we should take our cautions with that and apply logic to trim the prefix as needed.
    However, in further investigation I've noticed that a symlink/junction created with NT prefix, that is mklink foo \??\C:\Users\david\bar cannot be resolved by Windows. therefore my approach here is to always return the unadultered PrintName in such case. If Windows is unable to resolve such paths, we should defer users to reason about them themselves.
    I've also found a bug in DeviceIoControl where REPARSE_DATA_BUFFER.Flags will contain SYMLINK_FLAG_RELATIVE for NT paths (e.g: \??\C:\foo), which is incorrect given that such paths will always be treated as absolute.

  • 2a5cda1: Another recommendation from Windows is that we should not run any validation in the link's target when it is being created since all validations should occur at resolution time, therefore, I've removed the "file-must-target-file" validation that we initially wrote.

  • fbcfe3e UPDATE: After further digging, we should not use PrintName as it can display a different target to the one intended, see: https://www.tiraniddo.dev/2016/02/tracking-down-root-cause-of-windows.html
    cc @GrabYourPitchforks.

@jozkee jozkee added this to the 7.0.0 milestone Sep 2, 2021
@jozkee jozkee self-assigned this Sep 2, 2021
@ghost
Copy link

ghost commented Sep 2, 2021

Tagging subscribers to this area: @dotnet/area-system-io
See info in area-owners.md if you want to be subscribed.

Issue Details

  • 1ce2f30: Even though REPARSE_DATA_BUFFER's PrintName is more end-user-friendly vs SubstituteName, there's no guarantee that NT prefix (\??\) won't be there, we got recommended that we should take our cautions with that and apply logic to trim the prefix as needed.
    However, in further investigation I've noticed that a symlink/junction created with NT prefix, that is mklink foo \??\C:\Users\david\bar cannot be resolved by Windows. therefore my approach here is to always return the unadultered PrintName in such case. If Windows is unable to resolve such paths, we should defer users to reason about them themselves.
    I've also found a bug in DeviceIoControl where REPARSE_DATA_BUFFER.Flags will contain SYMLINK_FLAG_RELATIVE for NT paths (e.g: \??\C:\foo), which is incorrect given that such paths will always be treated as absolute.

  • 2a5cda1: Another recommendation from Windows is that we should not run any validation in the link's target when it is being created since all validations should occur at resolution time, therefore, I've removed the "file-must-target-file" validation that we initially wrote.

Author: Jozkee
Assignees: Jozkee
Labels:

area-System.IO
Milestone: 7.0.0

@jozkee jozkee added the NO-REVIEW Experimental/testing PR, do NOT review it label Sep 3, 2021
adamsitnik
adamsitnik approved these changes Sep 3, 2021
View reviewed changes
Copy link
Member

@adamsitnik adamsitnik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thank you @jozkee !

src/libraries/System.Private.CoreLib/src/Resources/Strings.resx Show resolved Hide resolved
@jozkee jozkee removed the NO-REVIEW Experimental/testing PR, do NOT review it label Sep 9, 2021
@jozkee
Copy link
Member Author

jozkee commented Sep 9, 2021

@adamsitnik @carlossanlop PTAL, I've updated the PR in order to fix a potential security threat.

@jeffhandley jeffhandley modified the milestones: 7.0.0, 6.0.0 Sep 9, 2021
carlossanlop
carlossanlop reviewed Sep 9, 2021
View reviewed changes
src/libraries/System.Private.CoreLib/src/System/IO/FileSystem.Windows.cs Outdated Show resolved Hide resolved
src/libraries/System.Private.CoreLib/src/System/IO/FileSystem.Windows.cs Outdated
}
else if (returnFullPath)
{
return Path.Join(Path.GetDirectoryName(linkPath.AsSpan()), targetPath).ToString();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The ToString() is unnecessary. All the Path.Join overloads return a string.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we should have an analyzer to catch calling ToString() on a string..

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we should have an analyzer to catch calling ToString() on a string..

It has a side effect: it performs a null check. So it can't always be removed. Regardless, I see this in generated code sometimes, where the generator just blindly calls ToString on data regardless of the data's underlying type, and it's pretty harmless in those scenarios.

src/libraries/System.Private.CoreLib/src/System/IO/FileSystem.Windows.cs Outdated Show resolved Hide resolved
@jozkee jozkee merged commit 98c05df into dotnet:main Sep 10, 2021
@jozkee jozkee deleted the link_recomendations branch September 10, 2021 05:48
@jozkee
Copy link
Member Author

jozkee commented Sep 10, 2021

/backport to release/6.0

@github-actions
Copy link
Contributor

Started backporting to release/6.0: https://github.com/dotnet/runtime/actions/runs/1220223811

@github-actions
Copy link
Contributor

@jozkee backporting to release/6.0 failed, the patch most likely resulted in conflicts:

$ git am --3way --ignore-whitespace --keep-non-patch changes.patch

Applying: NT prefix shall not be treated as a relative path
Using index info to reconstruct a base tree...
M	src/libraries/Common/src/System/IO/PathInternal.Windows.cs
Falling back to patching base and 3-way merge...
Auto-merging src/libraries/Common/src/System/IO/PathInternal.Windows.cs
CONFLICT (content): Merge conflict in src/libraries/Common/src/System/IO/PathInternal.Windows.cs
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 NT prefix shall not be treated as a relative path
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".
Error: The process '/usr/bin/git' failed with exit code 128

Please backport manually!

@jozkee jozkee restored the link_recomendations branch September 10, 2021 06:49
@jozkee jozkee deleted the link_recomendations branch September 10, 2021 06:50
jozkee added a commit to jozkee/runtime that referenced this pull request Sep 10, 2021
@jozkee
Address Windows recommendations for Link APIs (dotnet#58592)
150341e 
* NT prefix shall not be treated as a relative path

* Remove file-folder-match validation

* Use SubstituteName instead of PrintName since the latter is just for display and can be misleading

* Fix MS.IO.Redist

* Fix whitespace in Strings.resx

* Address suggestions
@jozkee jozkee mentioned this pull request Sep 10, 2021
Merged
@runfoapp runfoapp bot mentioned this pull request Sep 13, 2021
Closed
Anipik pushed a commit that referenced this pull request Sep 13, 2021
@jozkee
Address Windows recommendations for Link APIs (#58592) (#58926)
188bfd8 
* NT prefix shall not be treated as a relative path

* Remove file-folder-match validation

* Use SubstituteName instead of PrintName since the latter is just for display and can be misleading

* Fix MS.IO.Redist

* Fix whitespace in Strings.resx

* Address suggestions
@jozkee jozkee mentioned this pull request Sep 14, 2021
Merged
@ghost ghost locked as resolved and limited conversation to collaborators Oct 10, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@GrabYourPitchforks GrabYourPitchforks GrabYourPitchforks left review comments

@danmoseley danmoseley danmoseley left review comments

@carlossanlop carlossanlop carlossanlop approved these changes

@adamsitnik adamsitnik Awaiting requested review from adamsitnik

Assignees

@jozkee jozkee

Labels
area-System.IO
Projects
None yet
Milestone
6.0.0
Development

Successfully merging this pull request may close these issues.
6 participants
@jozkee @carlossanlop @GrabYourPitchforks @adamsitnik @danmoseley @jeffhandley