dohertj2/ScadaBridge
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
af54c8ad110bf9c504c6573a40b5b973ac015226
ScadaBridge/src/ZB.MOM.WW.ScadaBridge.InboundAPI/ForbiddenApiChecker.cs
T

47 lines
2.2 KiB
C#
Raw Blame History

using ZB.MOM.WW.ScadaBridge.ScriptAnalysis;
namespace ZB.MOM.WW.ScadaBridge.InboundAPI;
/// <summary>
/// InboundAPI-005: Enforces the ScadaBridge script trust model on inbound API method
/// scripts before they are compiled into executable handlers.
///
/// This class is now a thin shim that delegates to the shared, authoritative
/// <see cref="ScriptTrustValidator.FindViolations"/> implemented in
/// <c>ZB.MOM.WW.ScadaBridge.ScriptAnalysis</c> (M3.4). The unified validator runs
/// both a semantic symbol pass (catching alias / <c>global::</c> / <c>using static</c>
/// escapes) and the reflection-gateway + <c>dynamic</c> / <c>Activator</c> syntactic
/// hardening that previously lived exclusively in this file.
///
/// <para>
/// InboundAPI-015: a purely namespace-textual deny-list is bypassable because
/// reflection is reachable through members of <em>permitted</em> types that never
/// spell a forbidden namespace, e.g.
/// <c>typeof(string).Assembly.GetType("System.IO.File")</c>. The shared validator
/// handles this with both semantic resolution and reflection-gateway member
/// hardening — <c>GetType</c>, <c>Assembly</c>, <c>GetMethod</c>, <c>InvokeMember</c>,
/// <c>CreateInstance</c>, and the <c>dynamic</c> keyword are all rejected. This
/// remains hardening of a best-effort static check, <strong>not</strong> a true sandbox
/// (see the security notes in <c>code-reviews/InboundAPI/findings.md</c>,
/// InboundAPI-015). The check is defence-in-depth; genuine containment needs a
/// runtime boundary (restricted <c>AssemblyLoadContext</c> / curated reference set /
/// out-of-process sandbox).
/// </para>
/// </summary>
public static class ForbiddenApiChecker
{
/// <summary>
/// Analyses the script source and returns the list of trust-model violations.
/// An empty list means the script is acceptable.
/// </summary>
/// <param name="scriptCode">The C# script source to analyse.</param>
/// <returns>A list of trust-model violation messages; empty if the script is clean.</returns>
public static IReadOnlyList<string> FindViolations(string scriptCode)
{
if (string.IsNullOrWhiteSpace(scriptCode))
return Array.Empty<string>();
return ScriptTrustValidator.FindViolations(scriptCode);
}
}
Reference in New Issue View Git Blame Copy Permalink