New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

move trust for ProductBinaries to Unrestricted. #5511

Merged

daxian-dbw merged 4 commits into PowerShell:master from TravisEz13:fix_allSigned

Nov 29, 2017

Member

TravisEz13 commented Nov 20, 2017

fixes #5485

Causes Restricted and AllSigned execution policies to no longer trust PSHome by default.
To prevent behavior changes to Unrestricted, the trust for PShome was added here.
Update the description of Unrestricted to indicate that it requires the shell (an existing requirement.)

TravisEz13 changed the base branch from 6.0.0 to master

November 21, 2017 00:03

TravisEz13 force-pushed the fix_allSigned branch from b5e8c7a to 662b32e Compare

November 21, 2017 00:04

daxian-dbw reviewed

View reviewed changes

src/System.Management.Automation/security/SecurityManager.cs Outdated

    
            @@ -189,6 +185,10 @@ private bool CheckPolicy(ExternalScriptInfo script, PSHost host, out Exception r
          
              #endif

                          if (_executionPolicy == ExecutionPolicy.Unrestricted)

                          {

                              // Product binaries are always trusted

                              if (SecuritySupport.IsProductBinary(path))

Member

daxian-dbw Nov 21, 2017

If the execution policy is unrestricted, then I think we don't need this check anymore.

Member

daxian-dbw Nov 21, 2017 •

edited

Chatted with Travis offline. This check is needed to bypass files downloaded from the internet to $PSHome\Module when it's Unrestricted.
Need to add a comment about this.

daxian-dbw approved these changes

View reviewed changes

src/System.Management.Automation/security/SecurityManager.cs Outdated

    
            @@ -189,6 +185,10 @@ private bool CheckPolicy(ExternalScriptInfo script, PSHost host, out Exception r
          
              #endif

                          if (_executionPolicy == ExecutionPolicy.Unrestricted)

                          {

                              // Product binaries are always trusted

                              if (SecuritySupport.IsProductBinary(path))

Member

daxian-dbw Nov 21, 2017 •

edited

Chatted with Travis offline. This check is needed to bypass files downloaded from the internet to $PSHome\Module when it's Unrestricted.
Need to add a comment about this.

Member

SteveL-MSFT commented Nov 21, 2017

Can we add a test?

TravisEz13 added 2 commits

November 21, 2017 13:13


          move trust for ProductBinaries to Unrestricted.

710b107


          address PR feedback

aea3299

TravisEz13 force-pushed the fix_allSigned branch from 7f2fe7b to 73c15ab Compare

November 27, 2017 21:19

SteveL-MSFT requested changes

View reviewed changes

test/powershell/Modules/Microsoft.PowerShell.Security/ExecutionPolicy.Tests.ps1 Outdated

    
                              }

                          )

                          It "$TestTypePrefix Running <testScript> Module should return <error>" -TestCases $testDate  {

Member

SteveL-MSFT Nov 27, 2017

typo: should be $testData

test/powershell/Modules/Microsoft.PowerShell.Security/ExecutionPolicy.Tests.ps1 Outdated

    
                          )

                          It "$TestTypePrefix Running <testScript> Module should return <error>" -TestCases $testDate  {

Member

SteveL-MSFT Nov 27, 2017

Missing param block

test/powershell/Modules/Microsoft.PowerShell.Security/ExecutionPolicy.Tests.ps1 Outdated

    
                              }

                              catch

                              {

                                  $exception = $_

Member

SteveL-MSFT Nov 27, 2017

change to use ShouldBeErrorId?

Member Author

TravisEz13 Nov 28, 2017

Sorry, I accidentally pushed an incomplete commit. I have updated the PR.


          Add tests

TravisEz13 force-pushed the fix_allSigned branch from cf20b34 to 3094513 Compare

November 28, 2017 01:23

TravisEz13 commented

View reviewed changes

test/powershell/Modules/Microsoft.PowerShell.Security/ExecutionPolicy.Tests.ps1

		)
		foreach($testScript in $testScripts) {

Member Author

TravisEz13 Nov 28, 2017

Note, $testScripts was not defined in this scope, so nothing was being run.

Member Author

TravisEz13 commented Nov 28, 2017

Note, issue #5559 was filed when adding tests due to an issue with the tests. I have marked the affected tests to be skipped.

SteveL-MSFT requested changes

View reviewed changes

test/powershell/Modules/Microsoft.PowerShell.Security/ExecutionPolicy.Tests.ps1 Outdated

+                                  error = $null
+                              }
+                          )
+                          It "$TestTypePrefix Running <testScript> Script should throw '<error>'" -TestCases $skipTestData -Skip  {}

Member

SteveL-MSFT Nov 28, 2017

Should this be Pending and not Skipped?


          address PR feedback

SteveL-MSFT approved these changes

View reviewed changes

TravisEz13 assigned daxian-dbw

TravisEz13 added this to the 6.0.0-GA milestone

daxian-dbw merged commit f67844e into PowerShell:master

TravisEz13 deleted the fix_allSigned branch

November 29, 2017 01:56

TravisEz13 added a commit to TravisEz13/PowerShell that referenced this pull request


          Make 'AllSigned' execution policy require modules under $PSHome to be…

7d06c7a

… signed (PowerShell#5511)

TravisEz13 mentioned this pull request

Merge 6.0.0 ga changes #5585

Merged

TravisEz13 added a commit that referenced this pull request


          Make 'AllSigned' execution policy require modules under $PSHome to be…

3f9ff3f

… signed (#5511)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment