Load index from validated msix for unpackaged context

[yao-msft]

Validation: Added new tests and fixed existing tests. Also did manual verification that source opening works as expected.

Microsoft Reviewers: Open in CodeFlow

[JohnMcPMS]

Not a fan of requiring the tests to run as admin.
Also not a fan of the tests changing the security profile of the machine they are run on.

Could we possibly test with a package signed by something already trusted? #Resolved

[yao-msft]

I made the tests to skip if not running with admin. But I cannot find a way to "mark" the tests as skipped. So I just output an info message.

[JohnMcPMS]

Should we just have a MsixInfo(const std::filesystem::path&) constructor? #Resolved

[yao-msft]

I just tried and since the other constructor is std::string_view, compiler gives ambiguous overloaded function call unless we update all the callers

[JohnMcPMS]

I asked about this and found out that this is a reasonable way to do it:

    template<typename T, std::enable_if_t<std::is_same_v<T, std::filesystem::path>, int> = 0>
    MsixInfo(const T& path) { ConstructFromPath(path); }

Where ConstructFromPath can then be implemented in the .cpp.

[JohnMcPMS]

GetSignature(true) to skip the first 4 bytes if they match the file id? erase here is expensive and isn't actually verifying that the bytes match the id. #Resolved

[JohnMcPMS]

Suggested change

	bool result = true;
	bool result = false;

Bugs should not result in returning a 👍 verification. #Resolved

[JohnMcPMS]

Shouldn't we be doing revocation checks? #Resolved

[JohnMcPMS]

This appears to be vulnerable to a time of check vs time of use attack; nothing is preventing the package from being replaced between the check here and opening the file later.

You need the TempSQLiteIndexFile (or another helper) that can lock the file from being modified, then do the validation and extraction. #Resolved

[JohnMcPMS]

This shouldn't be defined in a second location. #Resolved

[JohnMcPMS]

I don't love this being passed in, but I understand the need. Can we change the type to WriteLockedFile or something more generic? That could be used for both the package and index files (with a create bool that controls both open and remove on destruction functionality).

Then also just move the "extract the index file" part out of the type as it isn't really necessary to be included. #Resolved

[github-actions]

@check-spelling-bot Report

Unrecognized words, please review:

• exising
• WHOLECHAIN

Previously acknowledged words that are now absent

activatable amd Archs dsc enr FWW Globals hackathon lww mytool OSVERSION Packagedx parametermap symlink Uninitialize WDAG whatif wsb

To accept these unrecognized words as correct (and remove the previously acknowledged and now absent words), run the following commands

... in a clone of the [email protected]:yao-msft/winget-cli.git repository
on the loadmsixindex branch:

update_files() {
perl -e '
my @expect_files=qw('".github/actions/spelling/expect.txt"');
@ARGV=@expect_files;
my @stale=qw('"$patch_remove"');
my $re=join "|", @stale;
my $suffix=".".time();
my $previous="";
sub maybe_unlink { unlink($_[0]) if $_[0]; }
while (<>) {
if ($ARGV ne $old_argv) { maybe_unlink($previous); $previous="$ARGV$suffix"; rename($ARGV, $previous); open(ARGV_OUT, ">$ARGV"); select(ARGV_OUT); $old_argv = $ARGV; }
next if /^(?:$re)(?:(?:\r|\n)*$| .*)/; print;
}; maybe_unlink($previous);'
perl -e '
my $new_expect_file=".github/actions/spelling/expect.txt";
use File::Path qw(make_path);
use File::Basename qw(dirname);
make_path (dirname($new_expect_file));
open FILE, q{<}, $new_expect_file; chomp(my @words = <FILE>); close FILE;
my @add=qw('"$patch_add"');
my %items; @items{@words} = @words x (1); @items{@add} = @add x (1);
@words = sort {lc($a)."-".$a cmp lc($b)."-".$b} keys %items;
open FILE, q{>}, $new_expect_file; for my $word (@words) { print FILE "$word\n" if $word =~ /\w/; };
close FILE;
system("git", "add", $new_expect_file);
'
}

comment_json=$(mktemp)
curl -L -s -S \
  --header "Content-Type: application/json" \
  "https://api.github.com/repos/microsoft/winget-cli/issues/comments/1123174846" > "$comment_json"
comment_body=$(mktemp)
jq -r .body < "$comment_json" > $comment_body
rm $comment_json

patch_remove=$(perl -ne 'next unless s{^</summary>(.*)</details>$}{$1}; print' < "$comment_body")
  

patch_add=$(perl -e '$/=undef;
$_=<>;
s{<details>.*}{}s;
s{^#.*}{};
s{\n##.*}{};
s{(?:^|\n)\s*\*}{}g;
s{\s+}{ }g;
print' < "$comment_body")
  
update_files
rm $comment_body
git add -u

[JohnMcPMS]

Suggested change

	INFO("Test requires admin privilege. Skipped.");
	WARN("Test requires admin privilege. Skipped.");

Not sure how this behaves instead, maybe it is more obvious? #Resolved

[JohnMcPMS]

Suggested change

	HANDLE GetFileHandle() { return m_fileHandle.get(); }
	HANDLE GetFileHandle() const { return m_fileHandle.get(); }
	``` #Resolved

[JohnMcPMS]

Suggested change

	const std::filesystem::path& GetFilePath() { return m_filePath; }
	const std::filesystem::path& GetFilePath() const { return m_filePath; }
	``` #Resolved

[JohnMcPMS]

Do we need to set this every time through the loop? #Resolved

[JohnMcPMS]

We don't appear to be doing anything to prevent writing more than expectedSize. Is that intentional? #Resolved

[JohnMcPMS]

getRawSignature being true, but the code then modifying the signature, doesn't make sense to me. Maybe this was supposed to be if (!getRawSignature)? Or should the name be changed to skipFileID? #Resolved

[JohnMcPMS]

I would either create a new function GetNewTempFilePath or GetPathTo(PathName::NewTempFile), but both would return the same type of path you are constructing here. This is definitely reusable. #Resolved

[yao-msft]

by looking at GetPathTo() code, it's more of returning a directory caller can work on. I'll create GetNewTempFilePath() then

[JohnMcPMS]

You need another

auto indexPackageLock = Utility::ManagedFile::OpenWriteLockedFile(packagePath, 0);

to prevent a TOCTOU here as well (between validation and the IsNewerThan).

It might even be worth making a helper type like:

struct PersistedIndexPackage
{
PersistedIndexPackage(path);
bool ValidateMsixTrustInfo(bool checkMSOrigin);

private:
ManagedFile m_fileLock;
}

Then remove the free function ValidateMsixTrustInfo. That way you must lock the file to validate it, and hopefully that translates into the appropriate lifetime of the lock in the calling code. #Resolved

[yao-msft]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[JohnMcPMS]

The reason to move to this model was that the only way to call ValidateMsixTrustInfo would be to create a PersistedIndexPackage. If you leave the free function ValidateMsixTrustInfo around, someone can still use it without the file lock. #Resolved