dotnet · marcpopMSFT · Sep 20, 2024 · Aug 15, 2024 · Aug 15, 2024 · Aug 16, 2024
diff --git a/Directory.Packages.props b/Directory.Packages.props
@@ -102,6 +102,7 @@
     <PackageVersion Include="System.Composition.TypedParts" Version="$(SystemCompositionTypedPartsPackageVersion)"/>
     <PackageVersion Include="System.Configuration.ConfigurationManager" Version="$(SystemConfigurationConfigurationManagerPackageVersion)" />
     <PackageVersion Include="System.Formats.Asn1" Version="$(SystemFormatsAsn1Version)" />
+    <PackageVersion Include="System.IO.Hashing" Version="$(SystemIOHashingPackageVersion)" />
     <PackageVersion Include="System.Net.Http" Version="4.3.4" />
     <!-- System.Reflection.Metadata and System.Collections.Immutable cannot be pinned here because of hard dependencies within Roslyn on specific versions that have to work both here and in VS -->
     <PackageVersion Include="System.Reflection.MetadataLoadContext" Version="$(SystemReflectionMetadataLoadContextVersion)" />

diff --git a/eng/Version.Details.xml b/eng/Version.Details.xml
@@ -43,6 +43,10 @@
       <Uri>https://github.com/dotnet/runtime</Uri>
       <Sha>0fbd81404d1f211572387498474063bc6f407f0f</Sha>
     </Dependency>
+    <Dependency Name="Microsoft.IO.Hashing" Version="9.0.0-rc.1.24414.5">
+      <Uri>https://github.com/dotnet/runtime</Uri>
+      <Sha>0fbd81404d1f211572387498474063bc6f407f0f</Sha>
+    </Dependency>
     <Dependency Name="Microsoft.Extensions.DependencyModel" Version="9.0.0-rc.1.24414.5">
       <Uri>https://github.com/dotnet/runtime</Uri>
       <Sha>0fbd81404d1f211572387498474063bc6f407f0f</Sha>

diff --git a/eng/Versions.props b/eng/Versions.props
@@ -158,6 +158,7 @@
     <SystemTextEncodingCodePagesPackageVersion>9.0.0-rc.1.24414.5</SystemTextEncodingCodePagesPackageVersion>
     <SystemTextJsonPackageVersion>9.0.0-rc.1.24414.5</SystemTextJsonPackageVersion>
     <SystemWindowsExtensionsPackageVersion>9.0.0-rc.1.24414.5</SystemWindowsExtensionsPackageVersion>
+    <SystemIOHashingPackageVersion>9.0.0-rc.1.24414.5</SystemIOHashingPackageVersion>
     <SystemFormatsAsn1Version>9.0.0-rc.1.24414.5</SystemFormatsAsn1Version>
     <!-- These are minimum versions used for netfx-targeted components that run in Visual Studio because in those cases,
          Visual Studio is providing those assemblies, and we should work with whichever version it ships. -->

@@ -1,7 +1,7 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
-using System.Security.Cryptography;
+using System.IO.Hashing;
 using Microsoft.Build.Framework;
 using Microsoft.Build.Utilities;
 
@@ -118,11 +118,9 @@ protected override string GenerateResponseFileCommands()
         internal static string CalculateTargetPath(string relativePath, string extension)
         {
             // RelativePath can be long and if used as-is to write the output, might result in long path issues on Windows.
-            // Instead we'll calculate a fixed length path by hashing the input file name. This uses SHA1 similar to the Hash task in MSBuild
-            // since it has no crytographic significance.
-            using var hash = SHA1.Create();
+            // Instead we'll calculate a fixed length path by hashing the input file name. This uses xXHash3 since it has no crytographic significance.
             var bytes = Encoding.UTF8.GetBytes(relativePath);
-            var hashString = Convert.ToBase64String(hash.ComputeHash(bytes));
+            var hashString = Convert.ToBase64String(XxHash3.Hash(bytes));
 
             var builder = new StringBuilder();
 

@@ -63,6 +63,7 @@
   <ItemGroup>
     <PackageReference Include="Microsoft.Build.Framework" ExcludeAssets="Runtime" />
     <PackageReference Include="Microsoft.Build.Utilities.Core" ExcludeAssets="Runtime" />
+    <PackageReference Include="System.IO.Hashing" />
   </ItemGroup>
 
   <ItemGroup>

diff --git a/src/Cli/Microsoft.DotNet.Cli.Utils/Microsoft.DotNet.Cli.Utils.csproj b/src/Cli/Microsoft.DotNet.Cli.Utils/Microsoft.DotNet.Cli.Utils.csproj
@@ -49,6 +49,7 @@
     <PackageReference Include="Microsoft.Build" ExcludeAssets="runtime" PrivateAssets="all" />
     <PackageReference Include="Microsoft.Build.Utilities.Core" ExcludeAssets="runtime" PrivateAssets="all" />
     <PackageReference Include="System.CommandLine" />
+    <PackageReference Include="System.IO.Hashing" />
   </ItemGroup>
 
   <Import Project="Sdk.targets" Sdk="Microsoft.NET.Sdk" />

diff --git a/src/Cli/Microsoft.DotNet.Cli.Utils/Uuid.cs b/src/Cli/Microsoft.DotNet.Cli.Utils/Uuid.cs
@@ -1,14 +1,14 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
-using System.Security.Cryptography;
+using System.IO.Hashing;
 
 namespace Microsoft.DotNet.Cli.Utils
 {
     public class Uuid
     {
         /// <summary>
-        /// Generate a Version 5 (SHA1 Name Based) Guid from a name.
+        /// Generate a Version 8 (XxHash3 Name Based) Guid from a name.
         /// </summary>
         /// <param name="name">The name to use for generating the GUID.</param>
         /// <returns>A generated <see cref="GUID"/>.</returns>
@@ -17,31 +17,28 @@ public static Guid Create(string name)
             // Any fixed GUID will do for a namespace.
             Guid namespaceId = new("28F1468D-672B-489A-8E0C-7C5B3030630C");
 
-            using (SHA1 hasher = SHA1.Create())
-            {
-                var nameBytes = Encoding.UTF8.GetBytes(name ?? string.Empty);
-                var namespaceBytes = namespaceId.ToByteArray();
+            var nameBytes = Encoding.UTF8.GetBytes(name ?? string.Empty);
+            var namespaceBytes = namespaceId.ToByteArray();
 
-                SwapGuidByteOrder(namespaceBytes);
+            SwapGuidByteOrder(namespaceBytes);
 
-                var streamToHash = new byte[namespaceBytes.Length + nameBytes.Length];
+            var streamToHash = new byte[namespaceBytes.Length + nameBytes.Length];
 
-                Array.Copy(namespaceBytes, streamToHash, namespaceBytes.Length);
-                Array.Copy(nameBytes, 0, streamToHash, namespaceBytes.Length, nameBytes.Length);
+            Array.Copy(namespaceBytes, streamToHash, namespaceBytes.Length);
+            Array.Copy(nameBytes, 0, streamToHash, namespaceBytes.Length, nameBytes.Length);
 
-                var hashResult = hasher.ComputeHash(streamToHash);
+            var hashResult = XxHash3.Hash(streamToHash); // This is just used for generating a named pipe so we don't need a cryptographic hash
 
-                var res = new byte[16];
+            var res = new byte[16];
 
-                Array.Copy(hashResult, res, res.Length);
+            Array.Copy(hashResult, res, res.Length);
 
-                unchecked { res[6] = (byte)(0x50 | (res[6] & 0x0F)); }
-                unchecked { res[8] = (byte)(0x40 | (res[8] & 0x3F)); }
+            unchecked { res[6] = (byte)(0x80 | (res[6] & 0x0F)); }
+            unchecked { res[8] = (byte)(0x40 | (res[8] & 0x3F)); }
 
-                SwapGuidByteOrder(res);
+            SwapGuidByteOrder(res);
 
-                return new Guid(res);
-            }
+            return new Guid(res);
         }
 
         // Do a byte order swap, .NET GUIDs store multi byte components in little

diff --git a/src/Installer/core-sdk-tasks/ExtractArchiveToDirectory.cs b/src/Installer/core-sdk-tasks/ExtractArchiveToDirectory.cs
@@ -83,18 +83,23 @@ public override bool Execute()
                         if (isZipArchive)
                         {
                             using var zip = new ZipArchive(File.OpenRead(SourceArchive));
-                            string loc = DestinationDirectory;
                             foreach (var entry in zip.Entries)
                             {
                                 if (ShouldExtractItem(entry.FullName))
                                 {
+                                    string destinationPath = Path.Combine(DestinationDirectory, entry.FullName);
+                                    string destinationFileName = GetFullDirectoryPathWithSeperator(destinationPath);
+                                    string fullDestDirPath = GetFullDirectoryPathWithSeperator(DestinationDirectory);
+
+                                    CheckDestinationPath(destinationFileName, fullDestDirPath);
+
                                     if (!Directory.Exists(Path.Combine(DestinationDirectory, Path.GetDirectoryName(entry.FullName))))
                                     {
                                         Directory.CreateDirectory(Path.Combine(DestinationDirectory, Path.GetDirectoryName(entry.FullName)));
                                     }
 
                                     Log.LogMessage(Path.GetDirectoryName(entry.FullName));
-                                    entry.ExtractToFile(Path.Combine(loc, entry.FullName));
+                                    entry.ExtractToFile(destinationPath);
                                 }
                             }
                         }
@@ -121,8 +126,14 @@ public override bool Execute()
                                     entryName = entryName.StartsWith("./") ? entryName[2..] : entryName;
                                     if (ShouldExtractItem(entryName))
                                     {
-                                        Log.LogMessage(entryName);
                                         string destinationPath = Path.Combine(DestinationDirectory, entryName);
+                                        string destinationFileName = GetFullDirectoryPathWithSeperator(destinationPath);
+                                        string fullDestDirPath = GetFullDirectoryPathWithSeperator(DestinationDirectory);
+
+                                        CheckDestinationPath(destinationFileName, fullDestDirPath);
+
+                                        Log.LogMessage(entryName);
+
                                         Directory.CreateDirectory(Path.GetDirectoryName(destinationPath));
                                         tarEntry.ExtractToFile(destinationPath, overwrite: true);
                                     }
@@ -170,6 +181,26 @@ public override bool Execute()
             return retVal;
         }
 
+        private string GetFullDirectoryPathWithSeperator(string directory)
+        {
+            string fullDirectoryPath = Path.GetFullPath(directory);
+
+            if (!fullDirectoryPath.EndsWith(Path.DirectorySeparatorChar.ToString()))
+            {
+                fullDirectoryPath = string.Concat(fullDirectoryPath, Path.DirectorySeparatorChar);
+            }
+
+            return fullDirectoryPath;
+        }
+
+        private void CheckDestinationPath(string destinationFileName, string fullDestDirPath)
+        {
+            if (!destinationFileName.StartsWith(fullDestDirPath, StringComparison.OrdinalIgnoreCase))
+            {
+                throw new System.InvalidOperationException("Entry is outside the target dir: " + destinationFileName);
+            }
+        }
+
         private bool ShouldExtractItem(string path) => DirectoriesToCopy?.Any(p => path.StartsWith(p.ItemSpec)) ?? false;
 
         protected override string ToolName => "tar";

diff --git a/src/Installer/core-sdk-tasks/GenerateGuidFromName.cs b/src/Installer/core-sdk-tasks/GenerateGuidFromName.cs
@@ -13,7 +13,7 @@ public static Guid GenerateGuid(string name)
             // Any fixed GUID will do for a namespace.
             Guid namespaceId = new Guid("28F1468D-672B-489A-8E0C-7C5B3030630C");
 
-            using (SHA1 hasher = SHA1.Create())
+            using (SHA1 hasher = SHA1.Create()) // CodeQL [SM02196] SHA1 is consistent with the UUID version 5 algorithm. This is used for a unique upgrade code but not for security
             {
                 var nameBytes = System.Text.Encoding.UTF8.GetBytes(name ?? string.Empty);
                 var namespaceBytes = namespaceId.ToByteArray();

diff --git a/src/Tasks/Microsoft.NET.Build.Tasks/Microsoft.NET.Build.Tasks.csproj b/src/Tasks/Microsoft.NET.Build.Tasks/Microsoft.NET.Build.Tasks.csproj
@@ -65,6 +65,7 @@
     <PackageReference Include="Microsoft.Deployment.DotNet.Releases" />
     <!-- Use an alias for APICompat so that we bring in the binaries, but don't accidentally reference any types -->
     <ProjectReference Include="$(RepoRoot)src\Compatibility\ApiCompat\Microsoft.DotNet.ApiCompat.Task\Microsoft.DotNet.ApiCompat.Task.csproj" Aliases="unused" PrivateAssets="All" />
+    <PackageReference Include="System.IO.Hashing" />
   </ItemGroup>
 
   <!-- Packages that are in-box for .NET Core, so we only need to reference them for .NET Framework -->

diff --git a/src/Tasks/Microsoft.NET.Build.Tasks/NugetContentAssetPreprocessor.cs b/src/Tasks/Microsoft.NET.Build.Tasks/NugetContentAssetPreprocessor.cs
@@ -1,7 +1,7 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
-using System.Security.Cryptography;
+using System.IO.Hashing;
 using NuGet.Common;
 
 namespace Microsoft.NET.Build.Tasks
@@ -71,12 +71,7 @@ private static string BuildPreprocessedContentHash(IReadOnlyDictionary<string, s
                     }
                 }
 
-                stream.Position = 0;
-
-                using (var sha1 = SHA1.Create())
-                {
-                    return BitConverter.ToString(sha1.ComputeHash(stream)).Replace("-", "");
-                }
+                return BitConverter.ToString(XxHash3.Hash(stream.GetBuffer().AsSpan(0, (int)stream.Length))).Replace("-", "");
             }
         }
     }

diff --git a/test/Microsoft.NET.TestFramework/Microsoft.NET.TestFramework.csproj b/test/Microsoft.NET.TestFramework/Microsoft.NET.TestFramework.csproj
@@ -39,6 +39,7 @@
     <PackageReference Include="xunit" />
     <PackageReference Include="Microsoft.Extensions.Logging" />
     <PackageReference Include="Microsoft.Extensions.Logging.Console" />
+    <PackageReference Include="System.IO.Hashing" />
   </ItemGroup>
 
   <!-- Packages that are in-box for .NET Core, so we only need to reference them for .NET Framework -->

diff --git a/test/Microsoft.NET.TestFramework/Utilities/FileThumbPrint.cs b/test/Microsoft.NET.TestFramework/Utilities/FileThumbPrint.cs
@@ -2,7 +2,7 @@
 // The .NET Foundation licenses this file to you under the MIT license.
 
 using System.Diagnostics;
-using System.Security.Cryptography;
+using System.IO.Hashing;
 
 namespace Microsoft.NET.TestFramework.Utilities
 {
@@ -25,10 +25,9 @@ private FileThumbPrint(string path, DateTime lastWriteTimeUtc, string hash)
         public static FileThumbPrint Create(string path)
         {
             byte[] hashBytes;
-            using (var sha1 = SHA1.Create())
             using (var fileStream = File.OpenRead(path))
             {
-                hashBytes = sha1.ComputeHash(fileStream);
+                hashBytes = XxHash3.Hash(File.ReadAllBytes(fileStream.Name));
             }
 
             var hash = Convert.ToBase64String(hashBytes);