From 3893c4d55be2fc562e1d7c11653e2de5006c4257 Mon Sep 17 00:00:00 2001
From: Travis Plunk <travis.plunk@microsoft.com>
Date: Thu, 14 Oct 2021 14:53:41 -0700
Subject: [PATCH] Disallow Add-Type in NoLanguage mode on a locked down machine
 (#16245)

---
 .../commands/utility/AddType.cs               |  7 ++--
 .../ConstrainedLanguageRestriction.Tests.ps1  | 35 +++++++++++++++++++
 2 files changed, 40 insertions(+), 2 deletions(-)

diff --git a/src/Microsoft.PowerShell.Commands.Utility/commands/utility/AddType.cs b/src/Microsoft.PowerShell.Commands.Utility/commands/utility/AddType.cs
index 48ee839e99..5ce91a36a4 100644
--- a/src/Microsoft.PowerShell.Commands.Utility/commands/utility/AddType.cs
+++ b/src/Microsoft.PowerShell.Commands.Utility/commands/utility/AddType.cs
@@ -11,6 +11,7 @@ using System.IO;
 using System.Linq;
 using System.Management.Automation;
 using System.Management.Automation.Internal;
+using System.Management.Automation.Security;
 using System.Reflection;
 using System.Runtime.Loader;
 using System.Security;
@@ -549,8 +550,10 @@ namespace Microsoft.PowerShell.Commands
         /// </summary>
         protected override void BeginProcessing()
         {
-            // Prevent code compilation in ConstrainedLanguage mode
-            if (SessionState.LanguageMode == PSLanguageMode.ConstrainedLanguage)
+            // Prevent code compilation in ConstrainedLanguage mode, or NoLanguage mode under system lock down.
+            if (SessionState.LanguageMode == PSLanguageMode.ConstrainedLanguage ||
+                (SessionState.LanguageMode == PSLanguageMode.NoLanguage && 
+                 SystemPolicy.GetSystemLockdownPolicy() == SystemEnforcementMode.Enforce))
             {
                 ThrowTerminatingError(
                     new ErrorRecord(
diff --git a/test/powershell/Modules/Microsoft.PowerShell.Security/ConstrainedLanguageRestriction.Tests.ps1 b/test/powershell/Modules/Microsoft.PowerShell.Security/ConstrainedLanguageRestriction.Tests.ps1
index 047fcf9582..e9397f86ec 100644
--- a/test/powershell/Modules/Microsoft.PowerShell.Security/ConstrainedLanguageRestriction.Tests.ps1
+++ b/test/powershell/Modules/Microsoft.PowerShell.Security/ConstrainedLanguageRestriction.Tests.ps1
@@ -672,6 +672,41 @@ try
         }
     }
 
+    Describe "Add-Type in no language mode on locked down system" -Tags 'Feature','RequireAdminOnWindows' {
+
+        It "Verifies Add-Type fails in no language mode when in system lock down" {
+
+            # Create No-Language session, that allows Add-Type cmdlet
+            $entry = [System.Management.Automation.Runspaces.SessionStateCmdletEntry]::new('Add-Type', [Microsoft.PowerShell.Commands.AddTypeCommand], $null)
+            $iss = [initialsessionstate]::CreateRestricted([System.Management.Automation.SessionCapabilities]::Language)
+            $iss.Commands.Add($entry)
+            $rs = [runspacefactory]::CreateRunspace($iss)
+            $rs.Open()
+
+            # Try to use Add-Type in No-Language session
+            $ps = [powershell]::Create($rs)
+            $ps.AddCommand('Add-Type').AddParameter('TypeDefinition', 'public class C1 { }')
+            $expectedError = $null
+            try
+            {
+                Invoke-LanguageModeTestingSupportCmdlet -SetLockdownMode
+                $ps.Invoke()
+            }
+            catch
+            {
+                $expectedError = $_
+            }
+            finally
+            {
+                Invoke-LanguageModeTestingSupportCmdlet -RevertLockdownMode -EnableFullLanguageMode
+                $rs.Dispose()
+                $ps.Dispose()
+            }
+
+            $expectedError.Exception.InnerException.ErrorRecord.FullyQualifiedErrorId | Should -BeExactly 'CannotDefineNewType,Microsoft.PowerShell.Commands.AddTypeCommand'
+        }
+    }
+
     Describe "Import-LocalizedData additional commands in constrained language" -Tags 'Feature','RequireAdminOnWindows' {
 
         It "Verifies Import-LocalizedData disallows Add-Type in constrained language" {