Use DefaultDllImportSearchPaths attribute

docs/Analyzer Configuration.md

@@ -288,4 +288,13 @@ Option Values: integral values
 
 Default Value: Specific to each configurable rule ('100000' by default for most rules)
 
-Example: `dotnet_net_core.CA5387.sufficient_IterationCount_for_weak_KDF_algorithm = 100000`
+Example: `dotnet_code_quality.CA5387.sufficient_IterationCount_for_weak_KDF_algorithm = 100000`
+
+#### Configure unsafe DllImportSearchPath bits when using DefaultDllImportSearchPaths attribute
+Option Name: `unsafe_DllImportSearchPath_bits`
+
+Option Values: Integer values of System.Runtime.InteropServices.DllImportSearchPath
+
+Default Value: Specific to each configurable rule ('258', which is AssemblyDirectory | UseDllDirectoryForDependencies, by default for most rules)
+
+Example: `dotnet_code_quality.CA5392.unsafe_DllImportSearchPath_bits = 258`

src/Microsoft.NetCore.Analyzers/Core/MicrosoftNetCoreAnalyzersResources.resx

@@ -1074,4 +1074,22 @@
   <data name="JsonNetMaybeInsecureSerializerTitle" xml:space="preserve">
     <value>Ensure that JsonSerializer has a secure configuration when deserializing</value>
   </data>
+  <data name="UseDefaultDllImportSearchPathsAttribute" xml:space="preserve">
+    <value>Use DefaultDllImportSearchPaths attribute for P/Invokes</value>
+  </data>
+  <data name="UseDefaultDllImportSearchPathsAttributeDescription" xml:space="preserve">
+    <value>By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to DLL hijacking.</value>
+  </data>
+  <data name="UseDefaultDllImportSearchPathsAttributeMessage" xml:space="preserve">
+    <value>The method {0} didn't use DefaultDllImportSearchPaths attribute for P/Invokes.</value>
+  </data>
+  <data name="DoNotUseUnsafeDllImportSearchPath" xml:space="preserve">
+    <value>Do not use unsafe DllImportSearchPath value</value>
+  </data>
+  <data name="DoNotUseUnsafeDllImportSearchPathDescription" xml:space="preserve">
+    <value>There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead</value>
+  </data>
+  <data name="DoNotUseUnsafeDllImportSearchPathMessage" xml:space="preserve">
+    <value>Use unsafe DllImportSearchPath value {0}</value>
+  </data>
 </root>

src/Microsoft.NetCore.Analyzers/Core/Security/UseDefaultDllImportSearchPathsAttribute.cs

@@ -0,0 +1,143 @@
+// Copyright (c) Microsoft.  All Rights Reserved.  Licensed under the Apache License, Version 2.0.  See License.txt in the project root for license information.
+
+using System.Collections.Immutable;
+using System.IO;
+using System.Linq;
+using System.Runtime.InteropServices;
+using Analyzer.Utilities;
+using Analyzer.Utilities.Extensions;
+using Microsoft.CodeAnalysis;
+using Microsoft.CodeAnalysis.Diagnostics;
+using Microsoft.CodeAnalysis.FlowAnalysis.DataFlow;
+using Microsoft.NetCore.Analyzers.Security.Helpers;
+
+namespace Microsoft.NetCore.Analyzers.Security
+{
+    [DiagnosticAnalyzer(LanguageNames.CSharp, LanguageNames.VisualBasic)]
+    public sealed class UseDefaultDllImportSearchPathsAttribute : DiagnosticAnalyzer
+    {
+        internal static DiagnosticDescriptor UseDefaultDllImportSearchPathsAttributeRule = SecurityHelpers.CreateDiagnosticDescriptor(
+            "CA5392",
+            typeof(MicrosoftNetCoreAnalyzersResources),
+            nameof(MicrosoftNetCoreAnalyzersResources.UseDefaultDllImportSearchPathsAttribute),
+            nameof(MicrosoftNetCoreAnalyzersResources.UseDefaultDllImportSearchPathsAttributeMessage),
+            DiagnosticHelpers.EnabledByDefaultIfNotBuildingVSIX,
+            helpLinkUri: null,
+            descriptionResourceStringName: nameof(MicrosoftNetCoreAnalyzersResources.UseDefaultDllImportSearchPathsAttributeDescription),
+            customTags: WellKnownDiagnosticTags.Telemetry);
+        internal static DiagnosticDescriptor DoNotUseUnsafeDllImportSearchPathRule = SecurityHelpers.CreateDiagnosticDescriptor(
+            "CA5393",
+            nameof(MicrosoftNetCoreAnalyzersResources.DoNotUseUnsafeDllImportSearchPath),
+            nameof(MicrosoftNetCoreAnalyzersResources.DoNotUseUnsafeDllImportSearchPathMessage),
+            DiagnosticHelpers.EnabledByDefaultIfNotBuildingVSIX,
+            helpLinkUri: null,
+            descriptionResourceStringName: nameof(MicrosoftNetCoreAnalyzersResources.DoNotUseUnsafeDllImportSearchPathDescription),
+            customTags: WellKnownDiagnosticTagsExtensions.DataflowAndTelemetry);
+
+        // DllImportSearchPath.AssemblyDirectory = 2.
+        // DllImportSearchPath.UseDllDirectoryForDependencies = 256.
+        // DllImportSearchPath.ApplicationDirectory = 512.
+        private const int UnsafeBits = 2 | 256 | 512;
+        private const int LegacyBehavior = 0;
+
+        public override ImmutableArray<DiagnosticDescriptor> SupportedDiagnostics => ImmutableArray.Create(
+            UseDefaultDllImportSearchPathsAttributeRule,
+            DoNotUseUnsafeDllImportSearchPathRule);
+
+        public override void Initialize(AnalysisContext context)
+        {
+            context.EnableConcurrentExecution();
+
+            // Security analyzer - analyze and report diagnostics on generated code.
+            context.ConfigureGeneratedCodeAnalysis(GeneratedCodeAnalysisFlags.Analyze | GeneratedCodeAnalysisFlags.ReportDiagnostics);
+
+            context.RegisterCompilationStartAction(compilationStartAnalysisContext =>
+            {
+                var compilation = compilationStartAnalysisContext.Compilation;
+                var wellKnownTypeProvider = WellKnownTypeProvider.GetOrCreate(compilation);
+
+                if (!wellKnownTypeProvider.TryGetTypeByMetadataName(WellKnownTypeNames.SystemRuntimeInteropServicesDllImportAttribute, out INamedTypeSymbol dllImportAttributeTypeSymbol) ||
+                    !wellKnownTypeProvider.TryGetTypeByMetadataName(WellKnownTypeNames.SystemRuntimeInteropServicesDefaultDllImportSearchPathsAttribute, out INamedTypeSymbol defaultDllImportSearchPathsAttributeTypeSymbol))
+                {
+                    return;
+                }
+
+                var cancellationToken = compilationStartAnalysisContext.CancellationToken;
+                var unsafeDllImportSearchPathBits = compilationStartAnalysisContext.Options.GetUnsignedIntegralOptionValue(
+                    optionName: EditorConfigOptionNames.UnsafeDllImportSearchPathBits,
+                    rule: DoNotUseUnsafeDllImportSearchPathRule,
+                    defaultValue: UnsafeBits,
+                    cancellationToken: cancellationToken);
+                var defaultDllImportSearchPathsAttributeOnAssembly = compilation.Assembly.GetAttributes().FirstOrDefault(o => o.AttributeClass.Equals(defaultDllImportSearchPathsAttributeTypeSymbol));
+
+                compilationStartAnalysisContext.RegisterSymbolAction(symbolAnalysisContext =>
+                {
+                    var symbol = symbolAnalysisContext.Symbol;
+
+                    if (!symbol.IsExtern || !symbol.IsStatic)
+                    {
+                        return;
+                    }
+
+                    var dllImportAttribute = symbol.GetAttributes().FirstOrDefault(s => s.AttributeClass.Equals(dllImportAttributeTypeSymbol));
+                    var defaultDllImportSearchPathsAttribute = symbol.GetAttributes().FirstOrDefault(s => s.AttributeClass.Equals(defaultDllImportSearchPathsAttributeTypeSymbol));
+
+                    if (dllImportAttribute != null)
+                    {
+                        var constructorArguments = dllImportAttribute.ConstructorArguments;
+
+                        if (constructorArguments.Length == 0)
+                        {
+                            return;
+                        }
+
+                        if (Path.IsPathRooted(constructorArguments[0].Value.ToString()))
+                        {
+                            return;
+                        }
+
+                        var rule = UseDefaultDllImportSearchPathsAttributeRule;
+                        var ruleArgument = symbol.Name;
+
+                        if (defaultDllImportSearchPathsAttribute == null)
+                        {
+                            if (defaultDllImportSearchPathsAttributeOnAssembly != null)
+                            {
+                                var dllImportSearchPathOnAssembly = (int)defaultDllImportSearchPathsAttributeOnAssembly.ConstructorArguments.FirstOrDefault().Value;
+                                var validBits = dllImportSearchPathOnAssembly & unsafeDllImportSearchPathBits;
+
+                                if (dllImportSearchPathOnAssembly != LegacyBehavior &&
+                                    validBits == 0)
+                                {
+                                    return;
+                                }
+
+                                rule = DoNotUseUnsafeDllImportSearchPathRule;
+                                ruleArgument = ((DllImportSearchPath)validBits).ToString();
+                            }
+                        }
+                        else
+                        {
+                            var dllImportSearchPath = (int)defaultDllImportSearchPathsAttribute.ConstructorArguments.FirstOrDefault().Value;
+                            var validBits = dllImportSearchPath & unsafeDllImportSearchPathBits;
+
+                            if (dllImportSearchPath != LegacyBehavior &&
+                                validBits == 0)
+                            {
+                                return;
+                            }
+
+                            rule = DoNotUseUnsafeDllImportSearchPathRule;
+                            ruleArgument = ((DllImportSearchPath)validBits).ToString();
+                        }
+
+                        symbolAnalysisContext.ReportDiagnostic(
+                            symbol.CreateDiagnostic(
+                                rule,
+                                ruleArgument));
+                    }
+                }, SymbolKind.Method);
+            });
+        }
+    }
+}

src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.cs.xlf

@@ -2,6 +2,21 @@
 <xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.2" xsi:schemaLocation="urn:oasis:names:tc:xliff:document:1.2 xliff-core-1.2-transitional.xsd">
   <file datatype="xml" source-language="en" target-language="cs" original="../MicrosoftNetCoreAnalyzersResources.resx">
     <body>
+      <trans-unit id="DoNotUseUnsafeDllImportSearchPath">
+        <source>Do not use unsafe DllImportSearchPath value</source>
+        <target state="new">Do not use unsafe DllImportSearchPath value</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="DoNotUseUnsafeDllImportSearchPathDescription">
+        <source>There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead</source>
+        <target state="new">There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="DoNotUseUnsafeDllImportSearchPathMessage">
+        <source>Use unsafe DllImportSearchPath value {0}</source>
+        <target state="new">Use unsafe DllImportSearchPath value {0}</target>
+        <note />
+      </trans-unit>
       <trans-unit id="JsonNetInsecureSerializerMessage">
         <source>When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</source>
         <target state="new">When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</target>
@@ -122,6 +137,21 @@
         <target state="translated">Pokud chcete zmenšit bezpečnostní riziko, zařaďte pole {0} jako Unicode tak, že StructLayout.CharSet na {1} nastavíte na CharSet.Unicode nebo explicitně zařadíte pole jako UnmanagedType.LPWStr. Pokud potřebujete tento řetězec zařadit jako ANSI nebo jako systémově závislý, zadejte explicitně MarshalAs a pomocí atributu BestFitMapping vypněte přizpůsobené mapování. Zabezpečení můžete ještě zvýšit tak, že zapnete ThrowOnUnmappableChar.</target>
         <note />
       </trans-unit>
+      <trans-unit id="UseDefaultDllImportSearchPathsAttribute">
+        <source>Use DefaultDllImportSearchPaths attribute for P/Invokes</source>
+        <target state="new">Use DefaultDllImportSearchPaths attribute for P/Invokes</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="UseDefaultDllImportSearchPathsAttributeDescription">
+        <source>By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to DLL hijacking.</source>
+        <target state="new">By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to DLL hijacking.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="UseDefaultDllImportSearchPathsAttributeMessage">
+        <source>The method {0} didn't use DefaultDllImportSearchPaths attribute for P/Invokes.</source>
+        <target state="new">The method {0} didn't use DefaultDllImportSearchPaths attribute for P/Invokes.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="UseManagedEquivalentsOfWin32ApiTitle">
         <source>Use managed equivalents of win32 api</source>
         <target state="translated">Použití spravovaných ekvivalentů rozhraní Win32 API</target>

src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.de.xlf

@@ -2,6 +2,21 @@
 <xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.2" xsi:schemaLocation="urn:oasis:names:tc:xliff:document:1.2 xliff-core-1.2-transitional.xsd">
   <file datatype="xml" source-language="en" target-language="de" original="../MicrosoftNetCoreAnalyzersResources.resx">
     <body>
+      <trans-unit id="DoNotUseUnsafeDllImportSearchPath">
+        <source>Do not use unsafe DllImportSearchPath value</source>
+        <target state="new">Do not use unsafe DllImportSearchPath value</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="DoNotUseUnsafeDllImportSearchPathDescription">
+        <source>There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead</source>
+        <target state="new">There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="DoNotUseUnsafeDllImportSearchPathMessage">
+        <source>Use unsafe DllImportSearchPath value {0}</source>
+        <target state="new">Use unsafe DllImportSearchPath value {0}</target>
+        <note />
+      </trans-unit>
       <trans-unit id="JsonNetInsecureSerializerMessage">
         <source>When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</source>
         <target state="new">When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</target>
@@ -122,6 +137,21 @@
         <target state="translated">Um das Sicherheitsrisiko zu verringern, marshallen Sie das Feld "{0}" als Unicode, indem Sie "StructLayout.CharSet" für "{1}" auf "CharSet.Unicode" festlegen oder das Feld explizit als "UnmanagedType.LPWStr" marshallen. Wenn Sie diese Zeichenfolge als ANSI oder systemunabhängig marshallen müssen, geben Sie MarshalAs explizit an, deaktivieren Sie die optimierte Zuordnung mithilfe des BestFitMapping-Attributs, und stellen Sie zur Erhöhung der Sicherheit sicher, dass ThrowOnUnmappableChar aktiviert ist.</target>
         <note />
       </trans-unit>
+      <trans-unit id="UseDefaultDllImportSearchPathsAttribute">
+        <source>Use DefaultDllImportSearchPaths attribute for P/Invokes</source>
+        <target state="new">Use DefaultDllImportSearchPaths attribute for P/Invokes</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="UseDefaultDllImportSearchPathsAttributeDescription">
+        <source>By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to DLL hijacking.</source>
+        <target state="new">By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to DLL hijacking.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="UseDefaultDllImportSearchPathsAttributeMessage">
+        <source>The method {0} didn't use DefaultDllImportSearchPaths attribute for P/Invokes.</source>
+        <target state="new">The method {0} didn't use DefaultDllImportSearchPaths attribute for P/Invokes.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="UseManagedEquivalentsOfWin32ApiTitle">
         <source>Use managed equivalents of win32 api</source>
         <target state="translated">Verwaltete Entsprechungen der Win32-API verwenden</target>