Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create document on safely executing repros Fixes #45341 #45456

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Create document on safely executing repros Fixes #45341 #45456

wants to merge 3 commits into from

Conversation

Forgind
Copy link
Member

@Forgind Forgind commented Dec 13, 2024

Fixes #45341

/cc: @JanKrivanek

@dotnet-issue-labeler dotnet-issue-labeler bot added Area-NetSDK untriaged Request triage from a team member labels Dec 13, 2024
KalleOlaviNiemitalo
KalleOlaviNiemitalo reviewed Dec 13, 2024
View reviewed changes
documentation/general/ExecutingCustomerCode.md
If none of the above methods work, it may be viable to read all customer code carefully to ensure that no part of it is risky or malicious.

Some examples of specific patterns to watch out for that can cause issues include:
1. PackageReferences. These download code from the internet and permit its execution locally. If you are unfamiliar with any package in a PackageReference, this is insecure.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NuGet.Config could point to a malicious site, even if the package name is reserved at nuget.org.

@Forgind Forgind mentioned this pull request Dec 13, 2024
Open
dsplaisted
dsplaisted approved these changes Dec 20, 2024
View reviewed changes
Copy link
Member

@dsplaisted dsplaisted left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks very good overall. We do need to review it with our security team to make sure the claims made about what is secure are correct.

documentation/general/ExecutingCustomerCode.md Outdated

The other disadvantage of this approach is that it can take a lot of time to select appropriate parameters for your VM, start it, connect to it, set it up properly for your scenario, and execute the scenario. Unlike Sandbox, it can retain certain information across restarts, but it may lose active work just as your computer loses active work when you restart it. It's important to keep in mind that many VMs restart automatically at a fixed time every day when not in use to save resources.

That said, this is a secure means for executing a customer's scenario, and it works for any operating system and can even be configured to work for other architectures. Note that it does cost real money to use.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that it does cost real money to use.

I think you're referring to VMs in the cloud. It's also possible to create a local VM (for example using Hyper-V).

@Forgind
Copy link
Member Author

Forgind commented Dec 20, 2024

Looks very good overall. We do need to review it with our security team to make sure the claims made about what is secure are correct.

Thanks for the review! I set a reminder for myself to ping them in January when they're back from vacations 🙂

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@KalleOlaviNiemitalo KalleOlaviNiemitalo KalleOlaviNiemitalo left review comments

@dsplaisted dsplaisted dsplaisted approved these changes

Assignees
No one assigned
Labels
Area-NetSDK untriaged Request triage from a team member
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Create documentation on how to safely run repro projects
3 participants
@Forgind @dsplaisted @KalleOlaviNiemitalo