Merging internal commits for release/9.0#126897
Merged
wfurt merged 20 commits intodotnet:release/9.0from Apr 15, 2026
Merged
Conversation
…ryptography.Xml components Apply mitigations to System.Security.Cryptography.Xml components Apply depth checks to a number of recursive components. Opt out of using unsafe transforms in EncryptedXml by default. Co-Authored-By: Pranav Senthilnathan <pranas@microsoft.com> ---- #### AI description (iteration 1) #### PR Classification Security mitigation that enforces strict XML recursion depth limits and safe transform validation to prevent DoS attacks. #### PR Summary This pull request strengthens the System.Security.Cryptography.Xml components against malicious XML payloads by introducing configurable recursion depth checks, safe transform validations, and comprehensive tests for deep or infinite XML structures. - **`tests/SignedXmlTest.cs` & `tests/EncryptedXmlTests.cs`**: Added tests covering infinite XSLT loops, deep XML document signing, and configurable recursion limit behaviors. - **`src/Security/Cryptography/Xml/EncryptedKey.cs` & `EncryptedData.cs`**: Refactored XML loading logic to use thread-static counters for tracking XML recursion depth and throwing exceptions when limits are exceeded. - **`src/Security/Cryptography/Xml/CanonicalizationDispatcher.cs`**: Integrated depth counters to abort processing on XML structures that exceed the safe nesting threshold. - **`src/Security/Cryptography/Xml/XmlDecryptionTransform.cs`**: Updated the decryption flow to track and limit recursive XML processing via work items with depth information. - **`src/Security/Cryptography/Xml/LocalAppContextSwitches.cs`**: Introduced new AppContext switches to configure maximum recursion depth and allowed dangerous XML transforms. <!-- GitOpsUserAgent=GitOps.Apps.Server.pullrequestcopilot -->
…ing CR or LF in MailAddressParser Adds early validation in MailAddressParser.TryParseAddress to reject email addresses containing CR or LF characters, preventing SMTP header injection via crafted mail address strings. This fix has already been merged in .NET Framework and needs to ship together with it. ---- #### AI description (iteration 1) #### PR Classification This pull request is a bug fix that strengthens input validation for email addresses by rejecting any address containing CR or LF characters. #### PR Summary The changes add a validation check in the mail address parser to throw a FormatException (or return false) when CR or LF characters are detected, and update tests accordingly to enforce the new behavior. - `src/libraries/System.Net.Mail/src/System/Net/Mail/MailAddressParser.cs`: Introduced a new check using MailBnfHelper.HasCROrLF to detect and reject mail addresses with CR or LF. - `src/libraries/System.Net.Mail/tests/Unit/MailAddressTests/MailAddressParserTest.cs`: Added tests that verify the parser throws an exception or returns false based on the throwExceptionIfFail flag. - `src/libraries/System.Net.Mail/tests/Unit/MailAddressTests/MailAddressParsingTest.cs`: Updated test cases to remove or adjust mail addresses containing CR or LF characters. <!-- GitOpsUserAgent=GitOps.Apps.Server.pullrequestcopilot -->
use AZL3 instead of Ubuntu for builds ---- #### AI description (iteration 1) #### PR Classification This pull request updates the build pipeline configuration. #### PR Summary The changes modify the Linux build pool setup to leverage AZL3 images instead of Ubuntu by conditionally selecting different build agent images based on the architecture type. - `eng/pipelines/common/xplat-setup.yml`: Replaced the fixed Ubuntu image demand with conditional expressions that assign `build.azurelinux.3.arm64` for ARM architectures and `build.azurelinux.3.amd64` for other architectures. <!-- GitOpsUserAgent=GitOps.Apps.Server.pullrequestcopilot -->
[release/9.0] update MsQuic MSRC 105190 ---- #### AI description (iteration 1) #### PR Classification Dependency update for MsQuic. #### PR Summary This pull request updates the MsQuic dependency to a newer version to keep the release aligned with recent improvements. - `/eng/Versions.props`: Updated `MicrosoftNativeQuicMsQuicSchannelVersion` from `2.4.8` to `2.4.17`. <!-- GitOpsUserAgent=GitOps.Apps.Server.pullrequestcopilot -->
…-merge-9.0-2026-04-14-1139
Contributor
|
Tagging subscribers to this area: @bartonjs, @vcsjones, @dotnet/area-system-security |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR merges internal changes into release/9.0, primarily tightening security-related behavior in System.Security.Cryptography.Xml (depth limiting + safe transform enforcement) and hardening System.Net.Mail address parsing against CR/LF injection, alongside a MsQuic Schannel version bump.
Changes:
- Add configurable recursion-depth limiting for XML crypto operations and associated tests/resources.
- Enforce an allow-list of “safe” transform algorithms for
EncryptedXmlCipherReferenceprocessing (with an AppContext opt-out), and add regression tests. - Reject CR/LF-containing mail addresses earlier in parsing, updating unit/functional tests accordingly; update MsQuic package version.
Reviewed changes
Copilot reviewed 21 out of 22 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| src/libraries/System.Security.Cryptography.Xml/tests/XmlDsigExcC14NTransformTest.cs | Adds depth-limit regression tests (with RemoteExecutor override cases). |
| src/libraries/System.Security.Cryptography.Xml/tests/XmlDsigC14NTransformTest.cs | Adds depth-limit regression tests (with RemoteExecutor override cases). |
| src/libraries/System.Security.Cryptography.Xml/tests/System.Security.Cryptography.Xml.Tests.csproj | Enables RemoteExecutor in tests and embeds EncryptedXmlSample4.xml. |
| src/libraries/System.Security.Cryptography.Xml/tests/SignedXmlTest.cs | Adds tests for deep XML signing/verification limits and transform restrictions. |
| src/libraries/System.Security.Cryptography.Xml/tests/EncryptedXmlTests.cs | Adds tests covering recursive key scenarios, XSLT rejection, and deep encrypted XML resource loading. |
| src/libraries/System.Security.Cryptography.Xml/tests/EncryptedXmlTest.cs | Updates CipherReference ID-URI tests to validate behavior under the dangerous-transform switch. |
| src/libraries/System.Security.Cryptography.Xml/src/System/Security/Cryptography/Xml/XmlDecryptionTransform.cs | Adds depth tracking for recursive processing of nested <EncryptedData> elements. |
| src/libraries/System.Security.Cryptography.Xml/src/System/Security/Cryptography/Xml/LocalAppContextSwitches.cs | Introduces AppContext configuration for max recursion depth and dangerous transform allowance. |
| src/libraries/System.Security.Cryptography.Xml/src/System/Security/Cryptography/Xml/KeyInfo.cs | Adds LoadXml depth tracking via the new depth-limit mechanism. |
| src/libraries/System.Security.Cryptography.Xml/src/System/Security/Cryptography/Xml/EncryptedXml.cs | Adds safe-transform enforcement for CipherReference processing with an AppContext opt-out. |
| src/libraries/System.Security.Cryptography.Xml/src/System/Security/Cryptography/Xml/EncryptedType.cs | Introduces per-thread LoadXml recursion tracking to enforce depth limits. |
| src/libraries/System.Security.Cryptography.Xml/src/System/Security/Cryptography/Xml/EncryptedKey.cs | Wraps LoadXml in depth tracking to enforce recursion limits. |
| src/libraries/System.Security.Cryptography.Xml/src/System/Security/Cryptography/Xml/EncryptedData.cs | Wraps LoadXml in depth tracking to enforce recursion limits. |
| src/libraries/System.Security.Cryptography.Xml/src/System/Security/Cryptography/Xml/CanonicalizationDispatcher.cs | Adds per-thread depth limiting to canonicalization traversal. |
| src/libraries/System.Security.Cryptography.Xml/src/System.Security.Cryptography.Xml.csproj | Includes the new LocalAppContextSwitches.cs in the build. |
| src/libraries/System.Security.Cryptography.Xml/src/Resources/Strings.resx | Adds a new resource string for max-depth exceeded errors. |
| src/libraries/System.Net.Mail/tests/Unit/MailAddressTests/MailAddressParsingTest.cs | Moves CR/LF-containing addresses from “valid” to “invalid” test data. |
| src/libraries/System.Net.Mail/tests/Unit/MailAddressTests/MailAddressParserTest.cs | Adds targeted tests ensuring CR/LF causes throw/false across parsing entry points. |
| src/libraries/System.Net.Mail/tests/Functional/SmtpClientTest.cs | Adjusts functional coverage to expect earlier FormatException on invalid addresses. |
| src/libraries/System.Net.Mail/src/System/Net/Mail/MailAddressParser.cs | Adds a one-time scan to reject CR/LF characters in input strings. |
| eng/Versions.props | Updates MicrosoftNativeQuicMsQuicSchannelVersion from 2.4.8 to 2.4.17. |
...tem.Security.Cryptography.Xml/src/System/Security/Cryptography/Xml/XmlDecryptionTransform.cs
Show resolved
Hide resolved
...raries/System.Security.Cryptography.Xml/src/System/Security/Cryptography/Xml/EncryptedXml.cs
Show resolved
Hide resolved
...raries/System.Security.Cryptography.Xml/src/System/Security/Cryptography/Xml/EncryptedXml.cs
Show resolved
Hide resolved
wfurt
approved these changes
Apr 14, 2026
This was referenced Apr 15, 2026
Member
|
/ba-g "failures unrelated" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.