Skip to content

Merging internal commits for release/8.0#67105

Merged
wtgodbe merged 20 commits into
dotnet:release/8.0from
vseanreesermsft:internal-merge-8.0-2026-06-09-1513
Jun 10, 2026
Merged

Merging internal commits for release/8.0#67105
wtgodbe merged 20 commits into
dotnet:release/8.0from
vseanreesermsft:internal-merge-8.0-2026-06-09-1513

Conversation

@vseanreesermsft

Copy link
Copy Markdown
Contributor

No description provided.

dotnet-bot and others added 16 commits May 2, 2026 00:17
…otnet-efcore build 20260501.6

On relative base path root
dotnet-ef , Microsoft.EntityFrameworkCore , Microsoft.EntityFrameworkCore.Design , Microsoft.EntityFrameworkCore.InMemory , Microsoft.EntityFrameworkCore.Relational , Microsoft.EntityFrameworkCore.Sqlite , Microsoft.EntityFrameworkCore.SqlServer , Microsoft.EntityFrameworkCore.Tools From Version 8.0.27 -> To Version 8.0.27
…otnet-efcore build 20260505.5

On relative base path root
dotnet-ef , Microsoft.EntityFrameworkCore , Microsoft.EntityFrameworkCore.Design , Microsoft.EntityFrameworkCore.InMemory , Microsoft.EntityFrameworkCore.Relational , Microsoft.EntityFrameworkCore.Sqlite , Microsoft.EntityFrameworkCore.SqlServer , Microsoft.EntityFrameworkCore.Tools From Version 8.0.27 -> To Version 8.0.28
… aliases

Fixed issue where in grpc transcoding query parameter processing overwrites route or body-bound fields. Also fixing unmatched query parameters stored in the descriptor cache
…validation

Enforce a check for non-ASCII characters in the :path header for HTTP2/HTTP3. HTTP1 is not impacted

----
#### AI description  (iteration 1)
#### PR Classification
Bug fix to enforce ASCII validation for HTTP/2 and HTTP/3 `:path` header handling.

#### PR Summary
Replaces debug-only assertions with runtime validation to reject invalid ASCII characters in the request path for HTTP/2 and HTTP/3 streams, aborting the stream with protocol errors.
- `src/Servers/Kestrel/Core/src/Internal/Http2/Http2Stream.cs`: Validate each `:path` character is within ASCII (33–126); otherwise reset/abort the stream with `PROTOCOL_ERROR`.
- `src/Servers/Kestrel/Core/src/Internal/Http3/Http3Stream.cs`: Add the same ASCII validation and abort the stream with `ProtocolError` on invalid characters.
<!-- GitOpsUserAgent=GitOps.Apps.Server.pullrequestcopilot -->
If auth middleware was after the output caching middleware and some other auth was used besides the authorization header, then apps could end up caching a page meant for a specific user and then serve the cached page for anonymous or other users.
…otnet-efcore build 20260512.6

On relative base path root
dotnet-ef , Microsoft.EntityFrameworkCore , Microsoft.EntityFrameworkCore.Design , Microsoft.EntityFrameworkCore.InMemory , Microsoft.EntityFrameworkCore.Relational , Microsoft.EntityFrameworkCore.Sqlite , Microsoft.EntityFrameworkCore.SqlServer , Microsoft.EntityFrameworkCore.Tools From Version 8.0.27 -> To Version 8.0.28
…otnet-runtime build 20260512.30

On relative base path root
Microsoft.Extensions.HostFactoryResolver.Sources , Microsoft.Internal.Runtime.AspNetCore.Transport , Microsoft.NETCore.BrowserDebugHost.Transport , Microsoft.NETCore.Platforms , Microsoft.SourceBuild.Intermediate.runtime.linux-x64 From Version 8.0.27-servicing.26229.22 -> To Version 8.0.28-servicing.26262.30
Microsoft.NET.Runtime.MonoAOTCompiler.Task , Microsoft.NET.Runtime.WebAssembly.Sdk , Microsoft.NETCore.App.Ref , Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.browser-wasm , Microsoft.NETCore.App.Runtime.win-x64 From Version 8.0.27 -> To Version 8.0.28
System.Security.Cryptography.Xml From Version 8.0.3 -> To Version 8.0.3
…otnet-runtime build 20260514.5

On relative base path root
Microsoft.Extensions.HostFactoryResolver.Sources , Microsoft.Internal.Runtime.AspNetCore.Transport , Microsoft.NETCore.BrowserDebugHost.Transport , Microsoft.NETCore.Platforms , Microsoft.SourceBuild.Intermediate.runtime.linux-x64 From Version 8.0.27-servicing.26229.22 -> To Version 8.0.28-servicing.26264.5
Microsoft.NET.Runtime.MonoAOTCompiler.Task , Microsoft.NET.Runtime.WebAssembly.Sdk , Microsoft.NETCore.App.Ref , Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.browser-wasm , Microsoft.NETCore.App.Runtime.win-x64 From Version 8.0.27 -> To Version 8.0.28
System.Security.Cryptography.Xml From Version 8.0.3 -> To Version 8.0.3
…otnet-runtime build 20260514.13

On relative base path root
Microsoft.Extensions.HostFactoryResolver.Sources , Microsoft.Internal.Runtime.AspNetCore.Transport , Microsoft.NETCore.BrowserDebugHost.Transport , Microsoft.NETCore.Platforms , Microsoft.SourceBuild.Intermediate.runtime.linux-x64 From Version 8.0.27-servicing.26229.22 -> To Version 8.0.28-servicing.26264.13
Microsoft.NET.Runtime.MonoAOTCompiler.Task , Microsoft.NET.Runtime.WebAssembly.Sdk , Microsoft.NETCore.App.Ref , Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.browser-wasm , Microsoft.NETCore.App.Runtime.win-x64 From Version 8.0.27 -> To Version 8.0.28
…otnet-efcore build 20260515.2

On relative base path root
dotnet-ef , Microsoft.EntityFrameworkCore , Microsoft.EntityFrameworkCore.Design , Microsoft.EntityFrameworkCore.InMemory , Microsoft.EntityFrameworkCore.Relational , Microsoft.EntityFrameworkCore.Sqlite , Microsoft.EntityFrameworkCore.SqlServer , Microsoft.EntityFrameworkCore.Tools From Version 8.0.27 -> To Version 8.0.28
…ng/internal/dotnet-efcore, dnceng/internal/dotnet-runtime

This pull request updates the following dependencies

[marker]: <> (Begin:e179a2a7-bc5d-4498-2467-08dbd53ba9ce)
## From https://dev.azure.com/dnceng/internal/_git/dotnet-efcore
- **Subscription**: [e179a2a7-bc5d-4498-2467-08dbd53ba9ce](https://maestro.dot.net/subscriptions?search=e179a2a7-bc5d-4498-2467-08dbd53ba9ce)
- **Build**: [20260515.2](https://dev.azure.com/dnceng/internal/_build/results?buildId=2976004) ([314620](https://maestro.dot.net/channel/3880/azdo:dnceng:internal:dotnet-efcore/build/314620))
- **Date Produced**: May 16, 2026 7:42:15 PM UTC
- **Commit**: [983cf3c21c0f9484cc0ed66e61b8c252d701a30b](https://dev.azure.com/dnceng/internal/_git/dotnet-efcore?_a=history&version=GC983cf3c21c0f9484cc0ed66e61b8c252d701a30b)
- **Branch**: [refs/heads/internal/release/8.0](https://dev.azure.com/dnceng/internal/_git/dotnet-efcore?version=GBrefs/heads/internal/release/8.0)

[DependencyUpdate]: <> (Begin)

- **Dependency Updates**:
  - From [8.0.27 to 8.0.28][7]
     - dotnet-ef
     - Microsoft.EntityFrameworkCore
     - Microsoft.EntityFrameworkCore.Design
     - Microsoft.EntityFrameworkCore.InMemory
     - Microsoft.EntityFrameworkCore.Relational
     - Microsoft.EntityFrameworkCore.Sqlite
     - Microsoft.EntityFrameworkCore.SqlServer
     - Microsoft.EntityFrameworkCore.Tools

[7]: https://dev.azure.com/dnceng/internal/_git/dotnet-efcore/branches?baseVersion=GCf119d39bcc0bc6c50f0a5e1965a145878b2c13bd&targetVersion=GC983cf3c21c0f9484cc0ed66e61b8c252d701a30b&_a=files

[DependencyUpdate]: <> (End)

[marker]: <> (End:e179a2a7-bc5d-4498-2467-08dbd53ba9ce)

[marker]: <> (Begin:83131e87-e80d-4d5b-f426-08dbd53b3319)
## From https://dev.azure.com/dnceng/internal/_git/dotnet-runtime
- **Subscription**: [83131e87-e80d-4d5b-f426-08dbd53b3319](https://maestro.dot.net/subscriptions?search=83131e87-e80d-4d5b-f426-08dbd53b3319)
- **Build**: [20260514.13](https://dev.azure.com/dnceng/internal/_build/results?buildId=2975153) ([314438](https://maestro.dot.net/channel/3880/azdo:dnceng:internal:dotnet-runtime/build/314438))
- **Date Produced**: May 14, 2026 11:26:57 PM UTC
- **Commit**: [46295af5828b062bbbf93a9cef50fd8cb9fbcb09](https://dev.azure.com/dnceng/internal/_git/dotnet-runtime?_a=history&version=GC46295af5828b062bbbf93a9cef50fd8cb9fbcb09)
- **Branch**: [refs/heads/internal/release/8.0](https://dev.azure.com/dnceng/internal/_git/dotnet-runtime?version=GBrefs/heads/internal/release/8.0)

[DependencyUpdate]: <> (Begin)

- **Dependency Updates**:
  - From [8.0.27-servicing.26229.22 to 8.0.28-servicing.26264.13][6]
     - Microsoft.Extensions.HostFactoryResolver.Sources
     - Microsoft.Internal.Runtime.AspNetCore.Transport
     - Microsoft.NETCore.BrowserDebugHost.Transport
     - Microsoft.NETCore.Platforms
     - Microsoft.SourceBuild.Intermediate.runtime.linux-x64
  - From [8.0.27 to 8.0.28][6]
     - Microsoft.NET.Runtime.MonoAOTCompiler.Task
     - Microsoft.NET.Runtime.WebAssembly.Sdk
     - Microsoft.NETCore.App.Ref
     - Microsoft.NETCo...
```
git clone aspnet/messagepack
git add remote upstream messagepack/messagepack
git fetch upstream v2.x
git merge upstream/v2.x
resolve security.md file
git rm nuget.config
git commit
git log -1
git diff --binary --no-color --output=upstream-patch.diff 94d86190bc8c30e98dae0220c0bce54cdfe48494..<merge commit id from earlier command>
```

----
#### AI description  (iteration 5)
#### PR Classification
Dependency update and security fix to upgrade MessagePack library version and apply patches to address deeply nested structure parsing vulnerabilities.

#### PR Summary
This PR updates the MessagePack library from version 2.5.187 to 2.5.301 and applies patches to the MessagePack-CSharp submodule to handle deeply nested structures safely.

- `eng/Versions.props`: Updated MessagePackVersion from 2.5.187 to 2.5.301
- `eng/build.ps1` and `eng/build.sh`: Added logic to conditionally apply two patch files (`upstream-patch.diff` and `msgpack-fix-full.diff`) to the MessagePack-CSharp submodule
- `MessagePackHubProtocolTestBase.cs`: Added test `SkipResult_WithDeeplyNestedStructure` to verify parsing of 100,000 nested arrays with null values
- `.gitattributes`: Enforced LF line endings for `.diff` and `.patch` files to ensure proper git apply functionality
<!-- GitOpsUserAgent=GitOps.Apps.Server.pullrequestcopilot -->
… revert sscx dependency

Updated Version.Details.xml revert sscx dependency

----
#### AI description  (iteration 1)
#### PR Classification
Dependency version revert to address an issue with the System.Security.Cryptography.Xml package.

#### PR Summary
This pull request reverts the SHA reference for the System.Security.Cryptography.Xml dependency back to a previous commit while maintaining version 8.0.3.

- `eng/Version.Details.xml`: Reverted the SHA commit reference for System.Security.Cryptography.Xml from `e77fe8485db233c832f25e1a736ea48230386fb9` to `a6bde67c455f2ac219988c7a66171631090b6f65`
<!-- GitOpsUserAgent=GitOps.Apps.Server.pullrequestcopilot -->
Copilot AI review requested due to automatic review settings June 9, 2026 22:13

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aggregates internal servicing changes for the release/8.0 line, primarily focused on security hardening (MessagePack, Kestrel path validation, gRPC JSON transcoding query binding, output caching behavior) and updating dependency versions. It also introduces a build-time patching mechanism for the MessagePack-CSharp submodule to pull in upstream/security fixes without directly committing submodule source changes.

Changes:

  • Apply MessagePack-CSharp security fixes via build-time git apply patches, plus supporting LF enforcement for patch files.
  • Harden request parsing/caching behaviors (Kestrel path validation for HTTP/2+HTTP/3, OutputCaching authenticated handling, gRPC JSON transcoding query binding cache behavior).
  • Update runtime/EFCore/MessagePack dependency versions and internal NuGet feed sources.

Reviewed changes

Copilot reviewed 19 out of 21 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
src/submodules/msgpack-fix-full.diff Adds a large patch to be applied to the MessagePack-CSharp submodule (security + robustness fixes + tests + API baselines).
eng/build.sh Applies MessagePack submodule patches during build when not yet applied.
eng/build.ps1 Applies MessagePack submodule patches during build on Windows.
.gitattributes Forces LF for *.diff/*.patch to keep git apply reliable under core.autocrlf=true.
eng/scripts/CodeCheck.ps1 Attempts to exclude the patched submodule from “generated code up-to-date” checks.
eng/Versions.props Bumps runtime/EFCore versions and MessagePack package version.
eng/Version.Details.xml Updates dependency versions/SHAs for runtime + EFCore.
NuGet.config Adds internal dependency-flow package sources and enables them in disabled sources list.
src/Servers/Kestrel/Core/src/Internal/Http3/Http3Stream.cs Aborts on non-byte path chars to prevent truncation during path normalization.
src/Servers/Kestrel/Core/src/Internal/Http2/Http2Stream.cs Resets/aborts on non-byte path chars to prevent truncation during path normalization.
src/Servers/Kestrel/test/InMemory.FunctionalTests/Http3/Http3StreamTests.cs Adds test coverage for non-ASCII path handling in HTTP/3 header decoding.
src/Servers/Kestrel/test/InMemory.FunctionalTests/Http2/Http2StreamTests.cs Adds test coverage for non-ASCII path handling in HTTP/2 header decoding.
src/Middleware/OutputCaching/src/Policies/DefaultPolicy.cs Prevents storing cached responses when User is authenticated (covers auth middleware after caching).
src/Middleware/OutputCaching/test/OutputCacheTests.cs Adds tests covering authenticated requests not being cached + negative test for auth-after-cache ordering.
src/Grpc/JsonTranscoding/src/Microsoft.AspNetCore.Grpc.JsonTranscoding/Internal/JsonRequestHelpers.cs Avoids caching unresolved query paths; blocks query binding from overwriting route/body fields via JSON-name aliases.
src/Grpc/JsonTranscoding/src/Microsoft.AspNetCore.Grpc.JsonTranscoding/Internal/CallHandlers/CallHandlerDescriptorInfo.cs Makes path descriptor cache non-nullable and precomputes route JSON paths set.
src/Grpc/JsonTranscoding/test/Microsoft.AspNetCore.Grpc.JsonTranscoding.Tests/UnaryServerCallHandlerTests.cs Adds tests for query path caching behavior and route/body overwrite protections.
src/Grpc/JsonTranscoding/test/Microsoft.AspNetCore.Grpc.JsonTranscoding.Tests/Proto/transcoding.proto Adds a sub_data field to support new overwrite-protection tests.
src/Grpc/JsonTranscoding/test/Microsoft.AspNetCore.Grpc.JsonTranscoding.IntegrationTests/RouteTests.cs Adds integration test for nested JSON-name query params not overwriting route-bound values.
src/SignalR/common/SignalR.Common/test/Internal/Protocol/MessagePackHubProtocolTestBase.cs Adds a regression test to ensure deeply nested skipped results don’t overflow the stack.
Comments suppressed due to low confidence (1)

eng/scripts/CodeCheck.ps1:222

  • The generated-code diff check only excludes exact file paths. Adding "src/submodules/MessagePack-CSharp" to $changedFilesExclusions won’t exclude any files under that directory (git diff lists file paths), so CodeCheck will still fail after the build scripts apply patches to the submodule. Add an explicit prefix/wildcard check for files under the submodule directory.
    # Temporary: Disable check for blazor js file and nuget.config (updated automatically for
    # internal builds)
    $changedFilesExclusions = @("src/Components/Web.JS/dist/Release/blazor.server.js", "src/Components/Web.JS/dist/Release/blazor.web.js", "NuGet.config", "src/submodules/MessagePack-CSharp")

    if ($changedFiles) {
        foreach ($file in $changedFiles) {
            if ($changedFilesExclusions -contains $file) {continue}
            $filePath = Resolve-Path "${repoRoot}/${file}"
            LogError  -filepath $filePath `

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread eng/build.ps1 Outdated
Comment thread eng/build.sh Outdated
@github-actions github-actions Bot added the area-infrastructure Includes: MSBuild projects/targets, build scripts, CI, Installers and shared framework label Jun 9, 2026
Comment thread eng/Versions.props Outdated
This was referenced Jul 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area-infrastructure Includes: MSBuild projects/targets, build scripts, CI, Installers and shared framework

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants