Skip to content

Security/block dll references enforce nuget only#41

Merged
imsaadawais merged 3 commits into
mainfrom
security/block-dll-references-enforce-nuget-only
May 22, 2026
Merged

Security/block dll references enforce nuget only#41
imsaadawais merged 3 commits into
mainfrom
security/block-dll-references-enforce-nuget-only

Conversation

@imsaadawais

Copy link
Copy Markdown
Contributor

This pull request introduces important security enhancements and build automation improvements for the Blazor Orchestrator project. The primary focus is to enforce a strict policy prohibiting user-supplied .dll files in job packages, ensuring only NuGet dependencies are allowed. Additionally, it automates the packaging of the job template using a new PowerShell script and MSBuild integration, eliminating manual steps and reducing the risk of stale or incorrect zip artifacts. Several projects also receive a minor update to the OpenTelemetry.Exporter.OpenTelemetryProtocol package.

Security: Enforce No User-Supplied DLLs in Packages

  • Added checks in package validation, build, and execution to reject any packages or source directories containing .dll files, ensuring only NuGet dependencies (declared in .nuspec) are allowed. This is enforced in:

Build Automation: Job Template Packaging

  • Introduced a new PowerShell script Package-JobTemplate.ps1 to automate the creation of the job template zip, removing build artifacts and user-specific files, and including the .slnx file.
  • Integrated the packaging script into the BlazorOrchestrator.Web.csproj as an MSBuild target, ensuring the zip is always up-to-date and generated before each build.
  • Updated documentation with a detailed automation plan, usage instructions, and risk mitigations for the new packaging process.

Dependency Updates

  • Updated OpenTelemetry.Exporter.OpenTelemetryProtocol to version 1.15.3 across all relevant projects for consistency and security. [1] [2] [3] [4] [5] [6]

Added MSBuild target in BlazorOrchestrator.Web.csproj that runs Package-JobTemplate.ps1 before each build. The target uses Inputs/Outputs for incremental builds so the zip is only regenerated when template source files change.

- scripts/Package-JobTemplate.ps1: stages template, removes bin/obj/Properties/__pycache__/.csproj.user/execution_errors.log, includes JobTemplate.slnx, and creates the zip

- BlazorOrchestrator.Web.csproj: PackageJobTemplate target (BeforeTargets=BeforeBuild) with incremental build support

- .gitignore: exclude the generated zip since it is now a build artifact

- docs/JobTemplateZipAutomationPlan.md: design plan documenting all three options
This change prevents users from adding .dll files to job packages. All external dependencies must be declared as NuGet packages in the .nuspec file and resolved via NuGetResolverService.

Changes:

1. CodeExecutorService.cs (Core/Services)

   - Removed code that blindly loaded all .dll files from extracted packages

   - Added security check that rejects execution if any .dll files are found in the package

   - Removed secondary loop that pre-loaded package DLLs into the AppDomain

   - NuGet-resolved assemblies (via .nuspec) continue to work as before

2. JobManager.cs (Core)

   - Replaced the DLL scanning/loading loop with a security check

   - Throws InvalidOperationException if .dll files are found in the package

   - Logs a security-level error message identifying the rejected DLL files

3. NuGetPackageBuilderService.cs (Core/Services)

   - Added validation at the start of BuildPackageAsync()

   - Rejects the build if the source directory contains any .dll files

   - Returns a clear error message listing the offending files

4. PackageProcessorService.cs (Core/Services)

   - Added DLL detection to ValidateNuSpecAsync()

   - Packages containing .dll files now fail validation with a descriptive error

5. JobDetailsDialog.razor (Web/Components/Pages/Dialogs)

   - Added client-side validation during package upload (.nupkg/.zip)

   - Inspects zip archive entries for .dll files before uploading

   - Rejects upload with a user-friendly notification listing found DLLs

Defense in depth: The restriction is enforced at every layer - package build, package upload, package validation, and package execution.
Added `OpenTelemetry.Exporter.OpenTelemetryProtocol` (v1.15.3)
to multiple projects to enable OpenTelemetry protocol exporting.
Updated its version in `BlazorOrchestrator.ServiceDefaults.csproj`
for consistency.

Refined MSBuild configuration in `BlazorOrchestrator.Web.csproj`
to improve readability and streamline `JobTemplateInputs` and
`PackageJobTemplate` targets.

Updated `BlazorDataOrchestrator.JobCreatorTemplate.zip` binary
to reflect changes in the packaged job template.
Copilot AI review requested due to automatic review settings May 22, 2026 01:01
@imsaadawais imsaadawais merged commit b89e21b into main May 22, 2026
@imsaadawais imsaadawais deleted the security/block-dll-references-enforce-nuget-only branch May 22, 2026 01:01
@imsaadawais imsaadawais removed the request for review from Copilot May 22, 2026 01:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant