Disallow Add-Type in NoLanguage mode on a locked down machine (#16245)

2024-11-23 09:43:57 +08:00 · 2021-10-14 14:53:41 -07:00 · 2021-10-14 14:53:41 -07:00 · 3893c4d55b
commit 3893c4d55b
parent cd6eccb1ac
2 changed files with 40 additions and 2 deletions
--- a/src/Microsoft.PowerShell.Commands.Utility/commands/utility/AddType.cs
+++ b/src/Microsoft.PowerShell.Commands.Utility/commands/utility/AddType.cs
@ -11,6 +11,7 @@ using System.IO;
 using System.Linq;
 using System.Management.Automation;
 using System.Management.Automation.Internal;
+using System.Management.Automation.Security;
 using System.Reflection;
 using System.Runtime.Loader;
 using System.Security;
@ -549,8 +550,10 @@ namespace Microsoft.PowerShell.Commands
        /// </summary>
        protected override void BeginProcessing()
        {
-            // Prevent code compilation in ConstrainedLanguage mode
-            if (SessionState.LanguageMode == PSLanguageMode.ConstrainedLanguage)
+            // Prevent code compilation in ConstrainedLanguage mode, or NoLanguage mode under system lock down.
+            if (SessionState.LanguageMode == PSLanguageMode.ConstrainedLanguage ||
+                (SessionState.LanguageMode == PSLanguageMode.NoLanguage && 
+                 SystemPolicy.GetSystemLockdownPolicy() == SystemEnforcementMode.Enforce))
            {
                ThrowTerminatingError(
                    new ErrorRecord(
--- a/test/powershell/Modules/Microsoft.PowerShell.Security/ConstrainedLanguageRestriction.Tests.ps1
+++ b/test/powershell/Modules/Microsoft.PowerShell.Security/ConstrainedLanguageRestriction.Tests.ps1
@ -672,6 +672,41 @@ try
        }
    }

+    Describe "Add-Type in no language mode on locked down system" -Tags 'Feature','RequireAdminOnWindows' {
+
+        It "Verifies Add-Type fails in no language mode when in system lock down" {
+
+            # Create No-Language session, that allows Add-Type cmdlet
+            $entry = [System.Management.Automation.Runspaces.SessionStateCmdletEntry]::new('Add-Type', [Microsoft.PowerShell.Commands.AddTypeCommand], $null)
+            $iss = [initialsessionstate]::CreateRestricted([System.Management.Automation.SessionCapabilities]::Language)
+            $iss.Commands.Add($entry)
+            $rs = [runspacefactory]::CreateRunspace($iss)
+            $rs.Open()
+
+            # Try to use Add-Type in No-Language session
+            $ps = [powershell]::Create($rs)
+            $ps.AddCommand('Add-Type').AddParameter('TypeDefinition', 'public class C1 { }')
+            $expectedError = $null
+            try
+            {
+                Invoke-LanguageModeTestingSupportCmdlet -SetLockdownMode
+                $ps.Invoke()
+            }
+            catch
+            {
+                $expectedError = $_
+            }
+            finally
+            {
+                Invoke-LanguageModeTestingSupportCmdlet -RevertLockdownMode -EnableFullLanguageMode
+                $rs.Dispose()
+                $ps.Dispose()
+            }
+
+            $expectedError.Exception.InnerException.ErrorRecord.FullyQualifiedErrorId | Should -BeExactly 'CannotDefineNewType,Microsoft.PowerShell.Commands.AddTypeCommand'
+        }
+    }
+
    Describe "Import-LocalizedData additional commands in constrained language" -Tags 'Feature','RequireAdminOnWindows' {

        It "Verifies Import-LocalizedData disallows Add-Type in constrained language" {