Visual Studio中的不可信项目? [英] Untrustworthy Projects in Visual Studio?

问题描述

在打开您最近下载的项目时，Visual Studio 2013会短暂警告您仅打开可信赖来源的项目.开放项目有哪些风险?项目在编译之前会对系统造成任何损害吗?可能造成什么损害?在从不可信"来源实际打开项目之前，您是否应该了解任何指标? (不是我能想到的任何东西)

When opening a project you may have recently downloaded, Visual Studio 2013 briefly warns you to only open projects from trustworthy sources. What are some of the risks to opening projects? Can a project do any harm to your system before compilation, and what damage is possible? Are there any indicators you should be aware of before actually opening projects from "untrustworthy" sources? (Not that I can think of any)

推荐答案

Visual Studio中的攻击面

Visual Studio中有许多攻击媒介.所有这些都是设计使然.我们的开发人员希望在构建过程中完全控制我们的系统.不幸的是，当我们说我要在构建中删除缓存目录的内容" 时，这还意味着恶意项目文件可以从几乎任何位置删除几乎所有内容.或更糟.折衷方案是嘿.我们已经为您提供了王国的钥匙，但我们不认识这个项目.您确定要打开它吗?如果它做的愚蠢，我们不承担任何责任." 您提到的警告消息.

Attack Surface within Visual Studio

There are many attack vectors within Visual Studio. All of them are by design. We developers want complete control over our systems within the build process. Unfortunately, when we say "I want to delete the contents of the cache directory on build", that also means malicious project files can delete just about anything from just about anywhere. Or worse. The compromise is the "Hey. We've given you the keys to the kingdom, but we don't recognize this project. Are you sure you want to open this? We're not responsible if it does something stupid" warning message that you mentioned.

现在考虑到许多开发人员以管理员身份运行Visual Studio.

Now consider that many developers run Visual Studio as an administrator.

以下是一些攻击媒介:

构建前和构建后事件
以最简单的形式，不受信任的项目可以执行Pre-Build事件，该事件将删除文件.或更糟.几乎任何事情都可以在Build事件中执行.这是在Compile上发生的101种事情.

Pre- and Post-Build Events
In it's simplest form, untrusted projects could execute a Pre-Build event that would delete files. Or worse. Just about anything can be executed within a Build event. This is the 101 stuff that happens on Compile.

项目开放执行
Visual Studio项目文件只不过是大型MSBuild配置.打开项目时，Visual Studio会执行一些MSBuild目标，所有这些目标均支持该工具.这些目标包括Compile，ResolveAssemblyReferences，ResolveCOMReferences，GetFrameworkPaths和CopyRunEnvironmentFiles.如果存在这些目标中的任何一个，则其中的任务也将被执行.删除文件，或更糟糕的是.

Executions on Project Open
Visual Studio project files are nothing more than big MSBuild configurations. There are a few MSBuild targets that Visual Studio executes when you open a project, all to support the tooling. These targets include Compile, ResolveAssemblyReferences, ResolveCOMReferences, GetFrameworkPaths, and CopyRunEnvironmentFiles. If any of these targets exist, the tasks within them are also executed. Delete files, or worse.

请参阅: http://msdn.microsoft.com/en-上的设计时执行"我们/library/ms171468.aspx

IntelliSense
上面提到的部分工具包括IntelliSense，它可以在MSBuild中执行Compile任务.必须执行CSC/VBC才能获得所有IntelliSense功能.由于IntelliSense的性质，此任务在您工作时会重复执行，而不是上面的机会仅在打开时运行一次.

IntelliSense
Part of that tooling mentioned above includes IntelliSense, which executes the Compile task within MSBuild; the CSC/VBC must be executed to get all of the IntelliSense functionality. Because of the nature of IntelliSense, this task is repeatedly executed as you work, rather than the opportunities above that are just run once on open.

请参阅: http://msdn.microsoft.com/en-上的设计时智能感知"我们/library/ms171468.aspx

MSBuild中的其他隐藏位置
您还可以在一整天内手动执行其他例行的MSBuild目标，包括构建"，重建"，测试"和清理".是的，请记住，即使clean也是构建目标，所以Clean不仅可以删除旧的\bin目录，还可以删除更多内容.

Hidden Elsewhere in MSBuild
There is a sea of other routine MSBuild targets that you will manually execute throughout your day, including Build, Rebuild, Test, and Clean. Yes, keep in mind that even clean is a build target, so Clean could delete more than just your old \bin directories.

NuGet
恶意项目也可能通过NuGet公开系统.尽管程序包还原不是问题，但packages.config可以指定其他存储库源.然后，当您安装新的程序包(例如install-package jquery)时，NuGet将从不受信任的替代程序(而不是nuget.org)中检索jQuery程序包.这个恶意的jQuery软件包中可能包含其他各种好东西"，这些都是在软件包安装过程中执行的.

NuGet
Malicious projects may also expose systems via NuGet. Though Package Restore would not be an issue, the packages.config could specify a different Repository Source. Then, when you install a new package, such as install-package jquery, NuGet will retrieve the jQuery package from the untrusted alternate, rather than from nuget.org. This malicious jQuery package could have all sorts of other 'Goodies' within it that would be executed as a part of the package installation.

这不是来自NuGet的安全漏洞，因为您"指定了备用软件包的来源.这是设计使然，例如拥有自己内部软件包存储库的公司.

This is not a security vulnerability from NuGet, because "you" specified an alternate package source; this is by design, such as Corporations that have their own internal package repository.

在一天结束时，您该怎么办?答案确实是不公开来自不受信任来源的项目.在打开项目的packages.config文件之前，可以对其进行分析，但最大的风险是通过MSBuild.除非您非常擅长阅读MSBuild架构，否则我会明确表示.

At the end of the day, what can you do about this? The answer really is to just not open projects from untrusted sources. The project's packages.config file could be analyzed before you open it, but the big exposure is through MSBuild. Unless you are quite adept at reading through MSBuild schema, I would steer clear.

这篇关于Visual Studio中的不可信项目?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！