[Cherry-pick][4.20] Security and bug fixes (#6672)

* Upgrade Antlr4.Runtime to v.4.11.1 (#6670)

* Add WithAuthority to MSAL application level (#6671)

* Use LRUCache in ExpressionParser for efficient memory usage (#6667)

* Microsoft.Rest.ClientRuntime bump (#6662)

Co-authored-by: Tracy Boehrer <[email protected]>

* Updated NuGet.Packaging (#6652)

Co-authored-by: PVAShiproom <[email protected]>

---------

Co-authored-by: Cecilia Avila <[email protected]>
Co-authored-by: Joel Mut <[email protected]>
Co-authored-by: Ram Fattah <[email protected]>
Co-authored-by: Tracy Boehrer <[email protected]>
Co-authored-by: PVAShiproom <[email protected]>

libraries/AdaptiveExpressions/parser/ExpressionParser.cs

@@ -2,7 +2,6 @@
 // Licensed under the MIT License.
 
 using System;
-using System.Collections.Concurrent;
 using System.Collections.Generic;
 using System.Data;
 using System.Globalization;
@@ -11,7 +10,6 @@
 using Antlr4.Runtime;
 using Antlr4.Runtime.Misc;
 using Antlr4.Runtime.Tree;
-using Newtonsoft.Json.Linq;
 
 namespace AdaptiveExpressions
 {
@@ -20,7 +18,7 @@ namespace AdaptiveExpressions
     /// </summary>
     public class ExpressionParser : IExpressionParser
     {
-        private static ConcurrentDictionary<string, IParseTree> expressionDict = new ConcurrentDictionary<string, IParseTree>();
+        private static LRUCache<string, IParseTree> expressionDict = new LRUCache<string, IParseTree>();
 
         /// <summary>
         /// Initializes a new instance of the <see cref="ExpressionParser"/> class.
@@ -64,7 +62,7 @@ public Expression Parse(string expression)
         /// <returns>A ParseTree.</returns>
         protected static IParseTree AntlrParse(string expression)
         {
-            if (expressionDict.TryGetValue(expression, out var expressionParseTree))
+            if (expressionDict.TryGet(expression, out var expressionParseTree))
             {
                 return expressionParseTree;
             }
@@ -78,7 +76,7 @@ protected static IParseTree AntlrParse(string expression)
             parser.AddErrorListener(ParserErrorListener.Instance);
             parser.BuildParseTree = true;
             var expressionContext = parser.file()?.expression();
-            expressionDict.TryAdd(expression, expressionContext);
+            expressionDict.Set(expression, expressionContext);
             return expressionContext;
         }
 

libraries/Microsoft.Bot.Builder.Azure.Blobs/Microsoft.Bot.Builder.Azure.Blobs.csproj

@@ -25,7 +25,7 @@
     <PackageReference Include="System.Text.Json" Version="4.7.2" />
     <PackageReference Include="System.Text.Encodings.Web" Version="5.0.1" />
     <PackageReference Include="Azure.Storage.Blobs" Version="12.13.0" />
-    <PackageReference Include="Microsoft.Rest.ClientRuntime" Version="2.3.21" />
+    <PackageReference Include="Microsoft.Rest.ClientRuntime" Version="2.3.24" />
     <PackageReference Include="Newtonsoft.Json" Version="13.0.1" />
     <PackageReference Include="System.Threading.Tasks.Extensions" Version="4.5.4" />
     <PackageReference Include="Microsoft.Bot.Builder" Condition=" '$(ReleasePackageVersion)' == '' " Version="$(LocalPackageVersion)" />

libraries/Microsoft.Bot.Builder.Azure.Queues/Microsoft.Bot.Builder.Azure.Queues.csproj

@@ -31,7 +31,7 @@
 
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Rest.ClientRuntime" Version="2.3.21" />
+    <PackageReference Include="Microsoft.Rest.ClientRuntime" Version="2.3.24" />
     <PackageReference Include="Azure.Storage.Queues" Version="12.11.0" />
     <PackageReference Include="Newtonsoft.Json" Version="13.0.1" />
     <PackageReference Include="System.Threading.Tasks.Extensions" Version="4.5.4" />

libraries/Microsoft.Bot.Builder.Azure/Microsoft.Bot.Builder.Azure.csproj

@@ -35,7 +35,7 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Rest.ClientRuntime" Version="2.3.21" />
+    <PackageReference Include="Microsoft.Rest.ClientRuntime" Version="2.3.24" />
     <PackageReference Include="Microsoft.Azure.Cosmos" Version="3.32.2" />
     <PackageReference Include="Microsoft.Azure.Storage.Blob" Version="9.4.2" />
     <PackageReference Include="Newtonsoft.Json" Version="13.0.1" />

libraries/Microsoft.Bot.Builder.Dialogs.Declarative/Microsoft.Bot.Builder.Dialogs.Declarative.csproj

@@ -38,7 +38,7 @@
   <ItemGroup>
     <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="3.1.22" />
     <PackageReference Include="Newtonsoft.Json" Version="13.0.1" />
-    <PackageReference Include="NuGet.Packaging" Version="5.5.1" />
+    <PackageReference Include="NuGet.Packaging" Version="5.11.5" />
     <PackageReference Include="Microsoft.Bot.Builder.Dialogs" Condition=" '$(ReleasePackageVersion)' == '' " Version="$(LocalPackageVersion)" />
     <PackageReference Include="Microsoft.Bot.Builder.Dialogs" Condition=" '$(ReleasePackageVersion)' != '' " Version="$(ReleasePackageVersion)" />
     <PackageReference Include="AdaptiveExpressions" Condition=" '$(ReleasePackageVersion)' == '' " Version="$(LocalPackageVersion)" />

libraries/Microsoft.Bot.Connector/Authentication/CertificateAppCredentials.cs

@@ -154,6 +154,7 @@ protected override Lazy<IAuthenticator> BuildIAuthenticator()
         private Identity.Client.IConfidentialClientApplication CreateClientApplication(X509Certificate2 clientCertificate, string appId, HttpClient customHttpClient = null)
         {
             var clientBuilder = Identity.Client.ConfidentialClientApplicationBuilder.Create(appId)
+               .WithAuthority(new Uri(OAuthEndpoint), ValidateAuthority)
                .WithCertificate(clientCertificate);
 
             if (customHttpClient != null)

libraries/Microsoft.Bot.Connector/Authentication/MicrosoftAppCredentials.cs

@@ -172,6 +172,7 @@ protected override Lazy<IAuthenticator> BuildIAuthenticator()
         private Identity.Client.IConfidentialClientApplication CreateClientApplication(string appId, string password, HttpClient customHttpClient = null)
         {
             var clientBuilder = Identity.Client.ConfidentialClientApplicationBuilder.Create(appId)
+               .WithAuthority(new Uri(OAuthEndpoint), ValidateAuthority)
                .WithClientSecret(password);
 
             if (customHttpClient != null)

libraries/Microsoft.Bot.Connector/Authentication/MsalAppCredentials.cs

@@ -68,13 +68,17 @@ public MsalAppCredentials(IConfidentialClientApplication clientApplication, stri
         [System.Diagnostics.CodeAnalysis.SuppressMessage("Usage", "CA2234:Pass system uri objects instead of strings", Justification = "Using string overload for legacy compatibility.")]
         public MsalAppCredentials(string appId, string appPassword, string authority = null, string scope = null, bool validateAuthority = true, ILogger logger = null)
             : this(
-                  clientApplication: ConfidentialClientApplicationBuilder.Create(appId).WithClientSecret(appPassword).Build(),
+                  clientApplication: null,
                   appId: appId,
                   authority: authority,
                   scope: scope,
                   validateAuthority: validateAuthority,
                   logger: logger)
         {
+            _clientApplication = ConfidentialClientApplicationBuilder.Create(appId)
+                .WithAuthority(authority ?? OAuthEndpoint, validateAuthority)
+                .WithClientSecret(appPassword)
+                .Build();
         }
 
         /// <summary>
@@ -89,13 +93,17 @@ public MsalAppCredentials(string appId, string appPassword, string authority = n
         [System.Diagnostics.CodeAnalysis.SuppressMessage("Usage", "CA2234:Pass system uri objects instead of strings", Justification = "Using string overload for legacy compatibility.")]
         public MsalAppCredentials(string appId, X509Certificate2 certificate, string authority = null, string scope = null, bool validateAuthority = true, ILogger logger = null)
             : this(
-                  clientApplication: ConfidentialClientApplicationBuilder.Create(appId).WithCertificate(certificate).Build(),
+                  clientApplication: null,
                   appId: appId,
                   authority: authority,
                   scope: scope,
                   validateAuthority: validateAuthority,
                   logger: logger)
         {
+            _clientApplication = ConfidentialClientApplicationBuilder.Create(appId)
+                .WithAuthority(authority ?? OAuthEndpoint, validateAuthority)
+                .WithCertificate(certificate)
+                .Build();
         }
 
         async Task<AuthenticatorResult> IAuthenticator.GetTokenAsync(bool forceRefresh)
@@ -168,7 +176,7 @@ private async Task<AuthenticatorResult> AcquireTokenAsync(bool forceRefresh = fa
 
                     // This means we acquired a valid token successfully. We can make our retry policy null.
                     return new AuthenticatorResult()
-                    { 
+                    {
                         AccessToken = msalResult.AccessToken,
                         ExpiresOn = msalResult.ExpiresOn
                     };

libraries/Microsoft.Bot.Connector/Microsoft.Bot.Connector.csproj

@@ -31,7 +31,7 @@
     <PackageReference Include="Microsoft.Extensions.Http" Version="2.1.0" />
     <PackageReference Include="Microsoft.Identity.Client" Version="4.50.0" />
     <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="5.6.0" />
-    <PackageReference Include="Microsoft.Rest.ClientRuntime" Version="2.3.21" />
+    <PackageReference Include="Microsoft.Rest.ClientRuntime" Version="2.3.24" />
     <PackageReference Include="Newtonsoft.Json" Version="13.0.1" />
     <PackageReference Include="Microsoft.Bot.Schema" Condition=" '$(ReleasePackageVersion)' == '' " Version="$(LocalPackageVersion)" />
     <PackageReference Include="Microsoft.Bot.Schema" Condition=" '$(ReleasePackageVersion)' != '' " Version="$(ReleasePackageVersion)" />