Merging internal commits for release/8.0#126898
Merged
wfurt merged 18 commits intodotnet:release/8.0from Apr 15, 2026
Merged
Conversation
…ryptography.Xml components Apply mitigations to System.Security.Cryptography.Xml components Apply depth checks to a number of recursive components. Opt out of using unsafe transforms in EncryptedXml by default. Co-Authored-By: Pranav Senthilnathan <pranas@microsoft.com> ---- #### AI description (iteration 1) #### PR Classification This pull request implements security mitigations by enforcing maximum XML recursion depth and safe transform checks in the System.Security.Cryptography.Xml components. #### PR Summary It adds configurable depth limits and safety checks to prevent denial-of-service attacks through excessively nested XML and unsafe/recursive transforms, while supplementing these changes with comprehensive tests. - `SignedXmlTest.cs` and `EncryptedXmlTests.cs`: Introduce various tests for deep XML documents, infinite XSLT transform scenarios, and boundary conditions using AppContext switches. - `EncryptedKey.cs`, `EncryptedData.cs`, and `KeyInfo.cs`: Implement thread-static depth tracking with Increment/Decrement methods to enforce a maximum nesting depth during XML loading. - `XmlDecryptionTransform.cs` and `CanonicalizationDispatcher.cs`: Add recursion depth checks that throw cryptographic exceptions when the configured limit is exceeded. - `LocalAppContextSwitches.cs`: New file that defines AppContext switches for dangerous recursion depth and safe transform configuration. - `EncryptedXml.cs`: Enhance decryption by verifying that only approved transform algorithms are applied before processing, ensuring safer XML decryption outcomes. <!-- GitOpsUserAgent=GitOps.Apps.Server.pullrequestcopilot -->
…tem.Security.Cryptography.Xml Following up to the fixes in https://dev.azure.com/dnceng/internal/_git/dotnet-runtime/pullrequest/58446 ---- #### AI description (iteration 1) #### PR Classification This pull request updates the build configuration for the System.Security.Cryptography.Xml library to enable NuGet packaging for the servicing release. #### PR Summary The changes modify the project file to support packaging and update the servicing version, ensuring the release build is correctly configured. - `src/libraries/System.Security.Cryptography.Xml/src/System.Security.Cryptography.Xml.csproj`: Set `<GeneratePackageOnBuild>` to true and updated `<ServicingVersion>` from 2 to 3. <!-- GitOpsUserAgent=GitOps.Apps.Server.pullrequestcopilot -->
…ing CR or LF in MailAddressParser Adds early validation in MailAddressParser.TryParseAddress to reject email addresses containing CR or LF characters, preventing SMTP header injection via crafted mail address strings. This fix has already been merged in .NET Framework and needs to ship together with it. ---- #### AI description (iteration 1) #### PR Classification Bug fix to enforce proper email address formatting by rejecting addresses containing CR or LF characters. #### PR Summary This pull request adds explicit checks in the mail address parser to disallow CR and LF characters and updates the unit tests accordingly. - `src/libraries/System.Net/Mail/MailAddressParser.cs`: Added logic that checks for CR/LF and either throws a FormatException or returns false. - `src/libraries/System.Net.Mail/tests/Unit/MailAddressTests/MailAddressParserTest.cs`: Introduced tests to verify both exception throwing and false return for addresses with CR/LF. - `src/libraries/System.Net.Mail/tests/Unit/MailAddressTests/MailAddressParsingTest.cs`: Modified test cases to ensure incorrect CR/LF formats are properly handled. <!-- GitOpsUserAgent=GitOps.Apps.Server.pullrequestcopilot -->
use AZL3 instead of Ubuntu for builds ---- #### AI description (iteration 1) #### PR Classification This pull request updates the CI build pipeline configuration to use AZL3 build images instead of Ubuntu. #### PR Summary The changes modify the build pipeline in `eng/pipelines/common/xplat-setup.yml` to conditionally select AZL3 images based on architecture. - `eng/pipelines/common/xplat-setup.yml`: Replaced the hardcoded Ubuntu image demand with conditional demands that select `build.azurelinux.3.arm64` for ARM/ARM64 architectures and `build.azurelinux.3.amd64` for all other cases. <!-- GitOpsUserAgent=GitOps.Apps.Server.pullrequestcopilot -->
Update MsQuic version. MSRC 105190 ---- #### AI description (iteration 1) #### PR Classification This pull request performs a dependency update by bumping the MsQuic package version. #### PR Summary The changes update the MsQuic version in the project by revising the version number in the `/eng/Versions.props` file. - `/eng/Versions.props`: Changed `<MicrosoftNativeQuicMsQuicSchannelVersion>` from 2.4.16 to 2.4.17. <!-- GitOpsUserAgent=GitOps.Apps.Server.pullrequestcopilot -->
…-merge-8.0-2026-04-14-1148
Contributor
|
Tagging subscribers to this area: @bartonjs, @vcsjones, @dotnet/area-system-security |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR merges internal servicing commits into release/8.0, primarily hardening XML crypto processing against excessive recursion / unsafe transforms and tightening mail address parsing to reject CR/LF injection vectors, with a couple of infra/version updates.
Changes:
- Add recursion-depth enforcement (configurable via AppContext) across XML encryption/decryption and signature canonicalization, plus tests for boundary behavior.
- Enforce a “safe transforms only” policy for
CipherReferencetransforms inEncryptedXmlby default (opt-out via AppContext), with new security-focused test coverage and a new embedded test resource. - Disallow CR/LF in
System.Net.Mailmail addresses (removing prior opt-in behavior), updating unit/functional tests accordingly; update build pool image and bump MsQuic Schannel version.
Reviewed changes
Copilot reviewed 24 out of 25 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| src/libraries/System.Security.Cryptography.Xml/src/System/Security/Cryptography/Xml/LocalAppContextSwitches.cs | Introduces AppContext-driven knobs for recursion depth and allowing dangerous transforms. |
| src/libraries/System.Security.Cryptography.Xml/src/System/Security/Cryptography/Xml/EncryptedXml.cs | Enforces safe transform algorithms for CipherReference unless opt-out switch is set. |
| src/libraries/System.Security.Cryptography.Xml/src/System/Security/Cryptography/Xml/XmlDecryptionTransform.cs | Adds queue-based processing with depth tracking for recursive decryption. |
| src/libraries/System.Security.Cryptography.Xml/src/System/Security/Cryptography/Xml/CanonicalizationDispatcher.cs | Adds recursion-depth checks during canonicalization write/hash traversal. |
| src/libraries/System.Security.Cryptography.Xml/src/System/Security/Cryptography/Xml/EncryptedType.cs | Adds per-thread LoadXml recursion depth tracking for encrypted type parsing. |
| src/libraries/System.Security.Cryptography.Xml/src/System/Security/Cryptography/Xml/EncryptedData.cs | Wraps LoadXml with recursion-depth tracking. |
| src/libraries/System.Security.Cryptography.Xml/src/System/Security/Cryptography/Xml/EncryptedKey.cs | Wraps LoadXml with recursion-depth tracking. |
| src/libraries/System.Security.Cryptography.Xml/src/System/Security/Cryptography/Xml/KeyInfo.cs | Wraps LoadXml with recursion-depth tracking. |
| src/libraries/System.Security.Cryptography.Xml/src/Resources/Strings.resx | Adds new resource string for max-depth exceeded errors. |
| src/libraries/System.Security.Cryptography.Xml/src/System.Security.Cryptography.Xml.csproj | Enables package-on-build and includes the new LocalAppContextSwitches.cs. |
| src/libraries/System.Security.Cryptography.Xml/tests/System.Security.Cryptography.Xml.Tests.csproj | Enables RemoteExecutor, suppresses SYSLIB0057, embeds new XML resource, adds trimming descriptor reference. |
| src/libraries/System.Security.Cryptography.Xml/tests/XmlDsigC14NTransformTest.cs | Adds depth-limit tests for canonicalization transform output/digested output. |
| src/libraries/System.Security.Cryptography.Xml/tests/XmlDsigExcC14NTransformTest.cs | Adds depth-limit tests for exclusive canonicalization transform output/digested output. |
| src/libraries/System.Security.Cryptography.Xml/tests/SignedXmlTest.cs | Adds tests covering deep documents and unsupported/dangerous transforms during signature operations. |
| src/libraries/System.Security.Cryptography.Xml/tests/EncryptedXmlTests.cs | Adds tests for recursive key payloads, XSLT attacks, and deep encrypted file loading. |
| src/libraries/System.Security.Cryptography.Xml/tests/EncryptedXmlTest.cs | Updates CipherReference tests to reflect safe-transform enforcement + opt-out switch behavior. |
| src/libraries/System.Net.Mail/src/System/Net/Mail/MailAddressParser.cs | Rejects CR/LF in parsed addresses up-front (single scan per parse operation). |
| src/libraries/System.Net.Mail/src/System/Net/Mail/MailAddress.cs | Always rejects CR/LF in domain literals (removes prior AppContext opt-in). |
| src/libraries/System.ComponentModel.Annotations/src/System/ComponentModel/DataAnnotations/EmailAddressAttribute.cs | Always rejects CR/LF for email validation (removes prior AppContext opt-in). |
| src/libraries/System.Net.Mail/tests/Unit/MailAddressTests/MailAddressParsingTest.cs | Moves CRLF-containing “valid” cases into invalid data set. |
| src/libraries/System.Net.Mail/tests/Unit/MailAddressTests/MailAddressParserTest.cs | Adds explicit tests asserting CR/LF inputs throw/return false. |
| src/libraries/System.Net.Mail/tests/Functional/SmtpClientTest.cs | Removes “enabled” CRLF domain-literal tests; simplifies “disabled” to construction-time validation. |
| eng/pipelines/common/xplat-setup.yml | Updates internal Linux pool image demand. |
| eng/Versions.props | Bumps MsQuic Schannel version to 2.4.17. |
wfurt
approved these changes
Apr 14, 2026
This was referenced Apr 15, 2026
This was referenced Apr 15, 2026
Open
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.