PowerShell · TravisEz13 · Nov 14, 2018 · Oct 2, 2018 · Oct 2, 2018 · Oct 2, 2018
diff --git a/src/Microsoft.PowerShell.Commands.Utility/commands/utility/AddType.cs b/src/Microsoft.PowerShell.Commands.Utility/commands/utility/AddType.cs
@@ -74,6 +74,7 @@ public sealed class AddTypeCommand : PSCmdlet
         /// The source code of this generated type.
         /// </summary>
         [Parameter(Mandatory = true, Position = 0, ParameterSetName = FromSourceParameterSetName)]
+        [ValidateTrustedData]
         public String TypeDefinition
         {
             get
@@ -90,6 +91,7 @@ public String TypeDefinition
         /// The name of the type (class) used for auto-generated types.
         /// </summary>
         [Parameter(Mandatory = true, Position = 0, ParameterSetName = FromMemberParameterSetName)]
+        [ValidateTrustedData]
         public String Name { get; set; }
 
         /// <summary>
@@ -137,6 +139,7 @@ public String[] MemberDefinition
         /// The path to the source code or DLL to load.
         /// </summary>
         [Parameter(Mandatory = true, Position = 0, ParameterSetName = FromPathParameterSetName)]
+        [ValidateTrustedData]
         [SuppressMessage("Microsoft.Performance", "CA1819:PropertiesShouldNotReturnArrays")]
         public string[] Path
         {
@@ -183,6 +186,7 @@ public string[] Path
         /// </summary>
         [Parameter(Mandatory = true, ParameterSetName = FromLiteralPathParameterSetName)]
         [Alias("PSPath", "LP")]
+        [ValidateTrustedData]
         [SuppressMessage("Microsoft.Performance", "CA1819:PropertiesShouldNotReturnArrays")]
         public string[] LiteralPath
         {
@@ -269,6 +273,7 @@ private void ProcessPaths(List<string> resolvedPaths)
         /// </summary>
         [Parameter(Mandatory = true, ParameterSetName = FromAssemblyNameParameterSetName)]
         [Alias("AN")]
+        [ValidateTrustedData]
         [SuppressMessage("Microsoft.Performance", "CA1819:PropertiesShouldNotReturnArrays")]
         public String[] AssemblyName { get; set; }
 

diff --git a/src/Microsoft.PowerShell.Commands.Utility/commands/utility/Import-LocalizedData.cs b/src/Microsoft.PowerShell.Commands.Utility/commands/utility/Import-LocalizedData.cs
@@ -96,6 +96,7 @@ public string FileName
         /// The command allowed in the data file.  If unspecified, then ConvertFrom-StringData is allowed.
         /// </summary>
         [Parameter]
+        [ValidateTrustedData]
         [SuppressMessage("Microsoft.Performance", "CA1819:PropertiesShouldNotReturnArrays", Justification = "Cmdlets use arrays for parameters.")]
         public string[] SupportedCommand
         {
@@ -205,6 +206,13 @@ protected override void ProcessRecord()
                     else
                     {
                         variable.Value = result;
+
+                        if (Context.LanguageMode == PSLanguageMode.ConstrainedLanguage)
+                        {
+                            // Mark untrusted values for assignments to 'Global:' variables, and 'Script:' variables in
+                            // a module scope, if it's necessary.
+                            ExecutionContext.MarkObjectAsUntrustedForVariableAssignment(variable, scope, Context.EngineSessionState);
+                        }
                     }
                 }
 

diff --git a/src/Microsoft.PowerShell.Commands.Utility/commands/utility/InvokeCommandCmdlet.cs b/src/Microsoft.PowerShell.Commands.Utility/commands/utility/InvokeCommandCmdlet.cs
@@ -20,6 +20,7 @@ public sealed
         /// Command to execute.
         /// </summary>
         [Parameter(Position = 0, Mandatory = true, ValueFromPipeline = true)]
+        [ValidateTrustedData]
         public string Command { get; set; }
 
         #endregion parameters

diff --git a/src/Microsoft.PowerShell.Commands.Utility/commands/utility/Var.cs b/src/Microsoft.PowerShell.Commands.Utility/commands/utility/Var.cs
@@ -941,6 +941,16 @@ private void SetVariable(string[] varNames, object varValue)
                                 if (varValue != AutomationNull.Value)
                                 {
                                     matchingVariable.Value = varValue;
+
+                                    if (Context.LanguageMode == PSLanguageMode.ConstrainedLanguage)
+                                    {
+                                        // In 'ConstrainedLanguage' we want to monitor untrusted values assigned to 'Global:' variables
+                                        // and 'Script:' variables, because they may be set from 'ConstrainedLanguage' environment and
+                                        // referenced within trusted script block, and thus result in security issues.
+                                        // Here we are setting the value of an existing variable and don't know what scope this variable
+                                        // is from, so we mark the value as untrusted, regardless of the scope.
+                                        ExecutionContext.MarkObjectAsUntrusted(matchingVariable.Value);
+                                    }
                                 }
 
                                 if (Description != null)

diff --git a/src/Microsoft.PowerShell.Commands.Utility/commands/utility/new-object.cs b/src/Microsoft.PowerShell.Commands.Utility/commands/utility/new-object.cs
@@ -28,6 +28,7 @@ public sealed class NewObjectCommand : PSCmdlet
 
         /// <summary> the number</summary>
         [Parameter(ParameterSetName = netSetName, Mandatory = true, Position = 0)]
+        [ValidateTrustedData]
         public string TypeName { get; set; } = null;
 
 #if !UNIX
@@ -36,6 +37,7 @@ public sealed class NewObjectCommand : PSCmdlet
         /// The ProgID of the Com object.
         /// </summary>
         [Parameter(ParameterSetName = "Com", Mandatory = true, Position = 0)]
+        [ValidateTrustedData]
         public string ComObject { get; set; } = null;
 #endif
 
@@ -44,6 +46,7 @@ public sealed class NewObjectCommand : PSCmdlet
         /// </summary>
         /// <value></value>
         [Parameter(ParameterSetName = netSetName, Mandatory = false, Position = 1)]
+        [ValidateTrustedData]
         [Alias("Args")]
         public object[] ArgumentList { get; set; } = null;
 
@@ -58,6 +61,7 @@ public sealed class NewObjectCommand : PSCmdlet
         /// gets the properties to be set.
         /// </summary>
         [Parameter]
+        [ValidateTrustedData]
         [SuppressMessage("Microsoft.Usage", "CA2227:CollectionPropertiesShouldBeReadOnly")]
         public IDictionary Property { get; set; }
 

diff --git a/src/Microsoft.PowerShell.ConsoleHost/host/msh/ConsoleHost.cs b/src/Microsoft.PowerShell.ConsoleHost/host/msh/ConsoleHost.cs
@@ -1657,10 +1657,7 @@ private void DoRunspaceInitialization(bool skipProfiles, string initialCommand,
 
                 // If the system lockdown policy says "Enforce", do so. Do this after types / formatting, default functions, etc
                 // are loaded so that they are trusted. (Validation of their signatures is done in F&O)
-                if (SystemPolicy.GetSystemLockdownPolicy() == SystemEnforcementMode.Enforce)
-                {
-                    _runspaceRef.Runspace.ExecutionContext.LanguageMode = PSLanguageMode.ConstrainedLanguage;
-                }
+                Utils.EnforceSystemLockDownLanguageMode(_runspaceRef.Runspace.ExecutionContext);
 
                 string allUsersProfile = HostUtilities.GetFullProfileFileName(null, false);
                 string allUsersHostSpecificProfile = HostUtilities.GetFullProfileFileName(shellId, false);

diff --git a/src/System.Management.Automation/engine/ArgumentTypeConverterAttribute.cs b/src/System.Management.Automation/engine/ArgumentTypeConverterAttribute.cs
@@ -165,6 +165,13 @@ internal object Transform(EngineIntrinsics engineIntrinsics, object inputData, b
                 throw new ArgumentTransformationMetadataException(e.Message, e);
             }
 
+            // Track the flow of untrusted object during the conversion when it's called directly from ParameterBinderBase.
+            // When it's called from the override Transform method, the tracking is taken care of in the base type.
+            if (bindingParameters || bindingScriptCmdlet)
+            {
+                ExecutionContext.PropagateInputSource(inputData, result, engineIntrinsics.SessionState.Internal.LanguageMode);
+            }
+
             return result;
         }
 

diff --git a/src/System.Management.Automation/engine/Attributes.cs b/src/System.Management.Automation/engine/Attributes.cs
@@ -1745,6 +1745,36 @@ public interface IValidateSetValuesGenerator
         string[] GetValidValues();
     }
 
+    /// <summary>
+    /// Validates that each parameter argument is Trusted data
+    /// </summary>
+    [AttributeUsage(AttributeTargets.Field | AttributeTargets.Property)]
+    public sealed class ValidateTrustedDataAttribute : ValidateArgumentsAttribute
+    {
+        /// <summary>
+        /// Validates that the parameter argument is not untrusted
+        /// </summary>
+        /// <param name="arguments">Object to validate</param>
+        /// <param name="engineIntrinsics">
+        /// The engine APIs for the context under which the validation is being
+        /// evaluated.
+        /// </param>
+        /// <exception cref="ValidationMetadataException">
+        /// if the argument is untrusted.
+        /// </exception>
+        protected override void Validate(object arguments, EngineIntrinsics engineIntrinsics)
+        {
+            if (ExecutionContext.HasEverUsedConstrainedLanguage &&
+                engineIntrinsics.SessionState.Internal.ExecutionContext.LanguageMode == PSLanguageMode.FullLanguage)
+            {
+                if (ExecutionContext.IsMarkedAsUntrusted(arguments))
+                {
+                    throw new ValidationMetadataException("ValidateTrustedDataFailure", null, Metadata.ValidateTrustedDataFailure, arguments);
+                }
+            }
+        }
+    }
+
     #region Allow
 
     /// <summary>
@@ -2151,6 +2181,27 @@ protected ArgumentTransformationAttribute()
         /// <exception cref="ArgumentTransformationMetadataException">should be thrown for any problems during transformation</exception>
         public abstract object Transform(EngineIntrinsics engineIntrinsics, object inputData);
 
+        /// <summary>
+        /// Transform inputData and track the flow of untrusted object.
+        /// NOTE: All internal handling of ArgumentTransformationAttribute should use this method to track the trustworthiness of
+        /// the data input source by default.
+        /// </summary>
+        /// <remarks>
+        /// The default value for <paramref name="trackDataInputSource"/> is True.
+        /// You should stick to the default value for this parameter in most cases so that data input source is tracked during the transformation.
+        /// The only acceptable exception is when this method is used in Compiler or Binder where you can generate extra code to track input source
+        /// when it's necessary. This is to minimize the overhead when tracking is not needed.
+        /// </remarks>
+        internal object TransformInternal(EngineIntrinsics engineIntrinsics, object inputData, bool trackDataInputSource = true)
+        {
+            object result = Transform(engineIntrinsics, inputData);
+            if (trackDataInputSource && engineIntrinsics != null)
+            {
+                ExecutionContext.PropagateInputSource(inputData, result, engineIntrinsics.SessionState.Internal.LanguageMode);
+            }
+            return result;
+        }
+
         /// <summary>
         /// The property is only checked when:
         ///   a) The parameter is not mandatory

diff --git a/src/System.Management.Automation/engine/CmdletInfo.cs b/src/System.Management.Automation/engine/CmdletInfo.cs
@@ -61,6 +61,9 @@ internal CmdletInfo(
             _helpFilePath = helpFile;
             _PSSnapin = PSSnapin;
             _options = ScopedItemOptions.ReadOnly;
+
+            // CmdletInfo represents cmdlets exposed from assemblies.  On a locked down system, only trusted
+            // assemblies will be loaded.  Therefore, a CmdletInfo instance will always be trusted.
             this.DefiningLanguageMode = PSLanguageMode.FullLanguage;
         }
 

diff --git a/src/System.Management.Automation/engine/CommandCompletion/CompletionAnalysis.cs b/src/System.Management.Automation/engine/CommandCompletion/CompletionAnalysis.cs
@@ -308,7 +308,7 @@ internal List<CompletionResult> GetResults(PowerShell powerShell, out int replac
             try
             {
                 // Tab expansion is called from a trusted function - we should apply ConstrainedLanguage if necessary.
-                if (ExecutionContext.HasEverUsedConstrainedLanguage)
+                if (completionContext.ExecutionContext.HasRunspaceEverUsedConstrainedLanguageMode)
                 {
                     previousLanguageMode = completionContext.ExecutionContext.LanguageMode;
                     completionContext.ExecutionContext.LanguageMode = PSLanguageMode.ConstrainedLanguage;

diff --git a/src/System.Management.Automation/engine/CommandCompletion/CompletionCompleters.cs b/src/System.Management.Automation/engine/CommandCompletion/CompletionCompleters.cs
@@ -6741,7 +6741,7 @@ internal static bool TrySafeEval(ExpressionAst ast, ExecutionContext executionCo
             try
             {
                 // ConstrainedLanguage has already been applied as necessary when we construct CompletionContext
-                Diagnostics.Assert(!(ExecutionContext.HasEverUsedConstrainedLanguage && executionContext.LanguageMode != PSLanguageMode.ConstrainedLanguage),
+                Diagnostics.Assert(!(executionContext.HasRunspaceEverUsedConstrainedLanguageMode && executionContext.LanguageMode != PSLanguageMode.ConstrainedLanguage),
                                    "If the runspace has ever used constrained language mode, then the current language mode should already be set to constrained language");
 
                 // We're passing 'true' here for isTrustedInput, because SafeExprEvaluator ensures that the AST

diff --git a/src/System.Management.Automation/engine/CommandCompletion/PseudoParameterBinder.cs b/src/System.Management.Automation/engine/CommandCompletion/PseudoParameterBinder.cs
@@ -963,7 +963,7 @@ internal PseudoBindingInfo DoPseudoParameterBinding(CommandAst command, Type pip
                     try
                     {
                         // Tab expansion is called from a trusted function - we should apply ConstrainedLanguage if necessary.
-                        if (ExecutionContext.HasEverUsedConstrainedLanguage)
+                        if (executionContext.HasRunspaceEverUsedConstrainedLanguageMode)
                         {
                             previousLanguageMode = executionContext.LanguageMode;
                             executionContext.LanguageMode = PSLanguageMode.ConstrainedLanguage;

diff --git a/src/System.Management.Automation/engine/CommandProcessor.cs b/src/System.Management.Automation/engine/CommandProcessor.cs
@@ -208,7 +208,44 @@ internal override void Prepare(IDictionary psDefaultParameterValues)
                 this.Command != null,
                 "CommandProcessor did not initialize Command\n" + this.CommandInfo.Name);
 
-            BindCommandLineParameters();
+            PSLanguageMode? oldLanguageMode = null;
+            bool? oldLangModeTransitionStatus = null;
+            try
+            {
+                var scriptCmdletInfo = this.CommandInfo as IScriptCommandInfo;
+                if (scriptCmdletInfo != null &&
+                    scriptCmdletInfo.ScriptBlock.LanguageMode.HasValue &&
+                    scriptCmdletInfo.ScriptBlock.LanguageMode != Context.LanguageMode)
+                {
+                    // Set the language mode before parameter binding if it's necessary for a script cmdlet, so that the language
+                    // mode is appropriately applied for evaluating parameter defaults and argument type conversion.
+                    oldLanguageMode = Context.LanguageMode;
+                    Context.LanguageMode = scriptCmdletInfo.ScriptBlock.LanguageMode.Value;
+
+                    // If it's from ConstrainedLanguage to FullLanguage, indicate the transition before parameter binding takes place.
+                    if (oldLanguageMode == PSLanguageMode.ConstrainedLanguage && Context.LanguageMode == PSLanguageMode.FullLanguage)
+                    {
+                        oldLangModeTransitionStatus = Context.LanguageModeTransitionInParameterBinding;
+                        Context.LanguageModeTransitionInParameterBinding = true;
+                    }
+                }
+
+                BindCommandLineParameters();
+            }
+            finally
+            {
+                if (oldLanguageMode.HasValue)
+                {
+                    // Revert to the original language mode after doing the parameter binding
+                    Context.LanguageMode = oldLanguageMode.Value;
+                }
+
+                if (oldLangModeTransitionStatus.HasValue)
+                {
+                    // Revert the transition state to old value after doing the parameter binding
+                    Context.LanguageModeTransitionInParameterBinding = oldLangModeTransitionStatus.Value;
+                }
+            }
         }
 
         protected override void OnSetCurrentScope()