Security/block dll references enforce nuget only#41
Merged
imsaadawais merged 3 commits intoMay 22, 2026
Conversation
Added MSBuild target in BlazorOrchestrator.Web.csproj that runs Package-JobTemplate.ps1 before each build. The target uses Inputs/Outputs for incremental builds so the zip is only regenerated when template source files change. - scripts/Package-JobTemplate.ps1: stages template, removes bin/obj/Properties/__pycache__/.csproj.user/execution_errors.log, includes JobTemplate.slnx, and creates the zip - BlazorOrchestrator.Web.csproj: PackageJobTemplate target (BeforeTargets=BeforeBuild) with incremental build support - .gitignore: exclude the generated zip since it is now a build artifact - docs/JobTemplateZipAutomationPlan.md: design plan documenting all three options
This change prevents users from adding .dll files to job packages. All external dependencies must be declared as NuGet packages in the .nuspec file and resolved via NuGetResolverService. Changes: 1. CodeExecutorService.cs (Core/Services) - Removed code that blindly loaded all .dll files from extracted packages - Added security check that rejects execution if any .dll files are found in the package - Removed secondary loop that pre-loaded package DLLs into the AppDomain - NuGet-resolved assemblies (via .nuspec) continue to work as before 2. JobManager.cs (Core) - Replaced the DLL scanning/loading loop with a security check - Throws InvalidOperationException if .dll files are found in the package - Logs a security-level error message identifying the rejected DLL files 3. NuGetPackageBuilderService.cs (Core/Services) - Added validation at the start of BuildPackageAsync() - Rejects the build if the source directory contains any .dll files - Returns a clear error message listing the offending files 4. PackageProcessorService.cs (Core/Services) - Added DLL detection to ValidateNuSpecAsync() - Packages containing .dll files now fail validation with a descriptive error 5. JobDetailsDialog.razor (Web/Components/Pages/Dialogs) - Added client-side validation during package upload (.nupkg/.zip) - Inspects zip archive entries for .dll files before uploading - Rejects upload with a user-friendly notification listing found DLLs Defense in depth: The restriction is enforced at every layer - package build, package upload, package validation, and package execution.
Added `OpenTelemetry.Exporter.OpenTelemetryProtocol` (v1.15.3) to multiple projects to enable OpenTelemetry protocol exporting. Updated its version in `BlazorOrchestrator.ServiceDefaults.csproj` for consistency. Refined MSBuild configuration in `BlazorOrchestrator.Web.csproj` to improve readability and streamline `JobTemplateInputs` and `PackageJobTemplate` targets. Updated `BlazorDataOrchestrator.JobCreatorTemplate.zip` binary to reflect changes in the packaged job template.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces important security enhancements and build automation improvements for the Blazor Orchestrator project. The primary focus is to enforce a strict policy prohibiting user-supplied
.dllfiles in job packages, ensuring only NuGet dependencies are allowed. Additionally, it automates the packaging of the job template using a new PowerShell script and MSBuild integration, eliminating manual steps and reducing the risk of stale or incorrect zip artifacts. Several projects also receive a minor update to theOpenTelemetry.Exporter.OpenTelemetryProtocolpackage.Security: Enforce No User-Supplied DLLs in Packages
.dllfiles, ensuring only NuGet dependencies (declared in.nuspec) are allowed. This is enforced in:JobManager.cs: Throws an error if.dllfiles are found during job execution.CodeExecutorService.cs: Fails execution if.dllfiles are present in the extracted package. [1] [2]NuGetPackageBuilderService.cs: Aborts package build if.dllfiles are found in the source.PackageProcessorService.cs: Adds a validation error if.dllfiles are detected during package validation.Build Automation: Job Template Packaging
Package-JobTemplate.ps1to automate the creation of the job template zip, removing build artifacts and user-specific files, and including the.slnxfile.BlazorOrchestrator.Web.csprojas an MSBuild target, ensuring the zip is always up-to-date and generated before each build.Dependency Updates
OpenTelemetry.Exporter.OpenTelemetryProtocolto version1.15.3across all relevant projects for consistency and security. [1] [2] [3] [4] [5] [6]