Added blocking of Delegate.Method when AllowReflection is false (GitHub Issue ClearFoundry#2); other minor fixes.

ClearScriptLib · ClearScriptLib · commit ee73af95647a · 2017-05-07T10:25:34.000-04:00
diff --git a/ClearScript/ClearScript.csproj b/ClearScript/ClearScript.csproj
@@ -98,6 +98,7 @@
     <Compile Include="HostList.cs" />
     <Compile Include="Util\INativeCallback.cs" />
     <Compile Include="Util\IHostInvokeContext.cs" />
+    <Compile Include="Util\MemberComparer.cs" />
     <Compile Include="Util\NativeCallbackTimer.cs" />
     <Compile Include="Util\NativeMethods.cs" />
     <Compile Include="Util\COMDispatch.cs" />
diff --git a/ClearScript/HostItem.InvokeMethod.cs b/ClearScript/HostItem.InvokeMethod.cs
@@ -480,7 +480,7 @@ public override bool IsUnblockedMethod(HostItem hostItem)
 
             public override object Invoke(HostItem hostItem)
             {
-                if (reflectionMethods.Contains(method))
+                if (reflectionMethods.Contains(method, MemberComparer<MethodInfo>.Instance))
                 {
                     hostItem.Engine.CheckReflection();
                 }
diff --git a/ClearScript/HostItem.cs b/ClearScript/HostItem.cs
@@ -32,6 +32,11 @@ internal partial class HostItem : DynamicObject, IReflect, IDynamic, IEnumVARIAN
         internal static bool EnableVTablePatching;
         [ThreadStatic] private static bool bypassVTablePatching;
 
+        private static readonly PropertyInfo[] reflectionProperties =
+        {
+            typeof(Delegate).GetProperty("Method")
+        };
+
         #endregion
 
         #region constructors
@@ -1389,6 +1394,11 @@ private object GetHostProperty(string name, BindingFlags invokeFlags, object[] a
 
         private object GetHostProperty(PropertyInfo property, BindingFlags invokeFlags, object[] args, CultureInfo culture)
         {
+            if (reflectionProperties.Contains(property, MemberComparer<PropertyInfo>.Instance))
+            {
+                engine.CheckReflection();
+            }
+
             if (property.GetGetMethod(invokeFlags.HasFlag(BindingFlags.NonPublic)) == null)
             {
                 throw new UnauthorizedAccessException("Property get method is unavailable or inaccessible");
diff --git a/ClearScript/Util/MemberComparer.cs b/ClearScript/Util/MemberComparer.cs
@@ -0,0 +1,33 @@
+&#65279;// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT license.
+
+using System;
+using System.Collections.Generic;
+using System.Reflection;
+
+namespace Microsoft.ClearScript.Util
+{
+    internal sealed class MemberComparer<T> : EqualityComparer<T> where T : MemberInfo
+    {
+        private static readonly MemberComparer<T> instance = new MemberComparer<T>();
+
+        public static MemberComparer<T> Instance { get { return instance; } }
+
+        public override bool Equals(T x, T y)
+        {
+            try
+            {
+                return (x.Module == y.Module) && (x.MetadataToken == y.MetadataToken);
+            }
+            catch (Exception)
+            {
+                return x == y;
+            }
+        }
+
+        public override int GetHashCode(T obj)
+        {
+            return (obj == null) ? 0 : obj.GetHashCode();
+        }
+    }
+}
diff --git a/ClearScript/Util/NativeMethods.cs b/ClearScript/Util/NativeMethods.cs
@@ -31,7 +31,9 @@ [In] [MarshalAs(UnmanagedType.LPWStr)] string path
 
         [DllImport("kernel32.dll", SetLastError = true)]
         [return: MarshalAs(UnmanagedType.Bool)]
-        public static extern bool FreeLibrary(IntPtr hLibrary);
+        public static extern bool FreeLibrary(
+            [In] IntPtr hLibrary
+        );
 
         [DllImport("ole32.dll", ExactSpelling = true)]
         public static extern uint CLSIDFromProgID(
@@ -86,9 +88,13 @@ [Out] out uint oldProtect
         );
 
         [DllImport("kernel32.dll", SetLastError = false)]
-        public static extern void GetSystemInfo(out SystemInfo info);
+        public static extern void GetSystemInfo(
+            [Out] out SystemInfo info
+        );
 
         [DllImport("kernel32.dll")]
-        public static extern void GetNativeSystemInfo(out SystemInfo info);
+        public static extern void GetNativeSystemInfo(
+            [Out] out SystemInfo info
+        );
     }
 }
diff --git a/ClearScriptTest/MemberAccessTest.cs b/ClearScriptTest/MemberAccessTest.cs
@@ -208,6 +208,12 @@ public void MemberAccess_Property_Struct_BadAssignment()
             TestUtil.AssertException<ArgumentException>(() => engine.Execute("testObject.StructProperty = System.DateTime.Now"));
         }
 
+        [TestMethod, TestCategory("MemberAccess")]
+        public void MemberAccess_Property_Blocked()
+        {
+            TestUtil.AssertException<UnauthorizedAccessException>(() => engine.Execute("host.proc(0, function () {}).Method"));
+        }
+
         [TestMethod, TestCategory("MemberAccess")]
         public void MemberAccess_ReadOnlyProperty()
         {

Original file line number	Diff line number	Diff line change
`@@ -480,7 +480,7 @@ public override bool IsUnblockedMethod(HostItem hostItem)`
`480`	`480`
`481`	`481`	`public override object Invoke(HostItem hostItem)`
`482`	`482`	`{`
`483`		`- if (reflectionMethods.Contains(method))`
	`483`	`+ if (reflectionMethods.Contains(method, MemberComparer<MethodInfo>.Instance))`
`484`	`484`	`{`
`485`	`485`	`hostItem.Engine.CheckReflection();`
`486`	`486`	`}`
Original file line number	Diff line number	Diff line change
`@@ -208,6 +208,12 @@ public void MemberAccess_Property_Struct_BadAssignment()`
`208`	`208`	`TestUtil.AssertException<ArgumentException>(() => engine.Execute("testObject.StructProperty = System.DateTime.Now"));`
`209`	`209`	`}`
`210`	`210`
	`211`	`+ [TestMethod, TestCategory("MemberAccess")]`
	`212`	`+ public void MemberAccess_Property_Blocked()`
	`213`	`+ {`
	`214`	`+ TestUtil.AssertException<UnauthorizedAccessException>(() => engine.Execute("host.proc(0, function () {}).Method"));`
	`215`	`+ }`
	`216`	`+`
`211`	`217`	`[TestMethod, TestCategory("MemberAccess")]`
`212`	`218`	`public void MemberAccess_ReadOnlyProperty()`
`213`	`219`	`{`