зеркало из https://github.com/microsoft/BuildXL.git
Merged PR 787205: Revert "Merged PR 784626: Allowlist rules should not be affected by '\\?\' pa...
Potentially causing incident 507986920
Revert "Merged PR 784626: Allowlist rules should not be affected by '\\?\' path prefix"
This reverts commit c581dcee03
.
Related work items: #2165593
This commit is contained in:
Родитель
b06d5d5e5c
Коммит
99a7993181
|
@ -9,12 +9,11 @@ using System.Diagnostics.ContractsLight;
|
|||
using System.Linq;
|
||||
using System.Text.RegularExpressions;
|
||||
using System.Threading.Tasks;
|
||||
using BuildXL.Native.IO.Windows;
|
||||
using BuildXL.Pips.Operations;
|
||||
using BuildXL.Processes;
|
||||
using BuildXL.Utilities.Core;
|
||||
using BuildXL.Utilities.Collections;
|
||||
using BuildXL.Utilities.Configuration;
|
||||
using BuildXL.Utilities.Core;
|
||||
using BuildXL.Utilities.Instrumentation.Common;
|
||||
|
||||
namespace BuildXL.ProcessPipExecutor
|
||||
|
@ -453,7 +452,7 @@ namespace BuildXL.ProcessPipExecutor
|
|||
/// Match a given access-rule fragment against a ReportedFileAccess.
|
||||
/// </summary>
|
||||
/// <remarks>
|
||||
/// Case insensitive since our first target is Windows, which has case-insensitive filesystem semantics. That decision
|
||||
/// Case insensitive since our first target is Windows, which has case-insensitive filesystem semantics. That decision
|
||||
/// might need to be revisited in the future.
|
||||
/// </remarks>
|
||||
internal static bool PathFilterMatches(
|
||||
|
@ -465,27 +464,7 @@ namespace BuildXL.ProcessPipExecutor
|
|||
Contract.Requires((pathRegex.Options & RegexOptions.IgnoreCase) != 0);
|
||||
Contract.Requires((pathRegex.Options & RegexOptions.CultureInvariant) != 0);
|
||||
|
||||
// A file access might start with a known prefix. Such prefixes are not common, so some users might not be aware of them.
|
||||
// We "normalize" the path (by setting the proper start index) here to avoid erroneous regex mismatch.
|
||||
var reportedFileAccessPath = reportedFileAccess.GetPath(pathTable);
|
||||
int prefixLength = 0;
|
||||
if (OperatingSystemHelper.IsWindowsOS)
|
||||
{
|
||||
if (reportedFileAccessPath.StartsWith(FileSystemWin.LongPathPrefix))
|
||||
{
|
||||
prefixLength = FileSystemWin.LongPathPrefix.Length;
|
||||
}
|
||||
else if (reportedFileAccessPath.StartsWith(FileSystemWin.NtPathPrefix))
|
||||
{
|
||||
prefixLength = FileSystemWin.NtPathPrefix.Length;
|
||||
}
|
||||
}
|
||||
|
||||
#if NET8_0_OR_GREATER
|
||||
return pathRegex.IsMatch(reportedFileAccessPath.AsSpan(prefixLength));
|
||||
#else
|
||||
return prefixLength > 0 ? pathRegex.IsMatch(reportedFileAccessPath.Substring(prefixLength)) : pathRegex.IsMatch(reportedFileAccessPath);
|
||||
#endif
|
||||
return pathRegex.IsMatch(reportedFileAccess.GetPath(pathTable));
|
||||
}
|
||||
|
||||
internal static MatchType Match(bool matches, bool entryAllowsCaching)
|
||||
|
|
|
@ -2,15 +2,14 @@
|
|||
// Licensed under the MIT License.
|
||||
|
||||
using System.IO;
|
||||
using System.Linq;
|
||||
using System.Threading.Tasks;
|
||||
using BuildXL.Native.IO;
|
||||
using BuildXL.Processes;
|
||||
using BuildXL.ProcessPipExecutor;
|
||||
using BuildXL.Utilities.Core;
|
||||
using BuildXL.Utilities.Configuration;
|
||||
using Test.BuildXL.TestUtilities.Xunit;
|
||||
using Xunit;
|
||||
using System.Linq;
|
||||
|
||||
namespace Test.BuildXL.Processes
|
||||
{
|
||||
|
@ -114,50 +113,5 @@ namespace Test.BuildXL.Processes
|
|||
XAssert.AreEqual(executableEntry5.PathRegex.ToString(), deserialized.ExecutableNoToolPathEntries.FirstOrDefault(e => e.Name == executableEntry5.Name).PathRegex.ToString());
|
||||
}
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Validates that known pathPrefix index is correctly captured in file access paths on Windows.
|
||||
/// </summary>
|
||||
[TheoryIfSupported(requiresWindowsBasedOperatingSystem: true)]
|
||||
[InlineData(@"^c:\\foo\\.*", @"\\?\c:\foo\\bar.txt", true)]
|
||||
[InlineData(@"c:\\foo\\.*", @"\\?\c:\foo\bar.txt", true)]
|
||||
[InlineData(@"c:\\baz\\.*", @"\\?\c:\foo\baz.txt", false)]
|
||||
[InlineData(@"c:\\foo.*", @"\\?\c:\foo.txt", true)]
|
||||
[InlineData(@"c:\\foo.*", @"c:\foo.txt", true)]
|
||||
[InlineData(@"c:\\baz\\.*", @"\\?\c:\foo\baz.txt", false)]
|
||||
public void ValidatePathPrefixRemoval(string pattern, string fileAccessPath, bool isMatch)
|
||||
{
|
||||
var context = BuildXLContext.CreateInstanceForTesting();
|
||||
var pathTable = context.PathTable;
|
||||
XAssert.AreEqual(
|
||||
FileAccessAllowlist.PathFilterMatches(
|
||||
FileAccessAllowlist.RegexWithProperties(pattern).Regex,
|
||||
CreateReportedFileAccessPath(fileAccessPath),
|
||||
pathTable),
|
||||
isMatch);
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Helper method to create ReportedFileAccessPath.
|
||||
/// </summary>
|
||||
private ReportedFileAccess CreateReportedFileAccessPath(string path)
|
||||
{
|
||||
var process = new ReportedProcess(1000, "/usr/bin/touch");
|
||||
|
||||
return new ReportedFileAccess(ReportedFileOperation.GetFileAttributes,
|
||||
process,
|
||||
RequestedAccess.Read,
|
||||
FileAccessStatus.Allowed,
|
||||
true,
|
||||
0,
|
||||
Usn.Zero,
|
||||
DesiredAccess.GENERIC_READ,
|
||||
ShareMode.FILE_SHARE_READ,
|
||||
CreationDisposition.OPEN_EXISTING,
|
||||
FlagsAndAttributes.FILE_ATTRIBUTE_NORMAL,
|
||||
AbsolutePath.Invalid,
|
||||
path,
|
||||
"*");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
Загрузка…
Ссылка в новой задаче