Fixes CIM deserialization bug (PowerShell#4234)

src/System.Management.Automation/engine/serialization.cs

@@ -2979,6 +2979,35 @@ internal InternalDeserializer(XmlReader reader, DeserializationContext context)
 
         #endregion constructor
 
+        #region Known CIMTypes
+
+        private static Lazy<HashSet<Type>> s_knownCimArrayTypes = new Lazy<HashSet<Type>>(
+            () =>
+                new HashSet<Type>
+                {
+                    typeof(Boolean),
+                    typeof(byte),
+                    typeof(char),
+                    typeof(DateTime),
+                    typeof(Decimal),
+                    typeof(Double),
+                    typeof(Int16),
+                    typeof(Int32),
+                    typeof(Int64),
+                    typeof(SByte),
+                    typeof(Single),
+                    typeof(String),
+                    typeof(TimeSpan),
+                    typeof(UInt16),
+                    typeof(UInt32),
+                    typeof(UInt64),
+                    typeof(object),
+                    typeof(CimInstance)
+                }
+            );
+
+        #endregion
+
         #region deserialization
         /// <summary>
         /// Used by Remoting infrastructure. This TypeTable instance
@@ -3186,7 +3215,7 @@ private bool RehydrateCimInstanceProperty(
                     {
                         return false;
                     }
-                    if (!originalArrayType.IsArray)
+                    if (!originalArrayType.IsArray || !s_knownCimArrayTypes.Value.Contains(originalArrayType.GetElementType()))
                     {
                         return false;
                     }

test/powershell/Modules/Microsoft.PowerShell.Utility/assets/corruptedcim.clixml

@@ -0,0 +1,58 @@
+<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
+  <Obj RefId="0">
+    <TN RefId="0">
+      <T>Microsoft.Management.Infrastructure.CimInstance</T>
+      <T>System.Object</T>
+    </TN>
+    <ToString>SomeClassName</ToString>
+    <Obj RefId="1">
+      <TNRef RefId = "0" />
+      <ToString>SomeClassName</ToString>
+      <Props>
+        <Nil N="PSComputerName" />
+        <Obj N="Test1" RefId="20">
+          <TN RefId = "2">
+            <T>System.Windows.Markup.XamlReader[], PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35</T>
+          </TN>
+          <LST>
+            <S N="Hash">
+              &lt;ResourceDictionary
+                xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
+                xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
+                xmlns:System="clr-namespace:System;assembly=mscorlib"
+                xmlns:Diag="clr-namespace:System.Diagnostics;assembly=system"&gt;
+                &lt;ObjectDataProvider x:Key="LaunchCalc" 
+                  ObjectType="{x:Type Diag:Process}" 
+                  MethodName="Start"&gt;
+                  &lt;ObjectDataProvider.MethodParameters&gt;
+                    &lt;System:String&gt;calc&lt;/System:String&gt;
+                  &lt;/ObjectDataProvider.MethodParameters&gt;
+                &lt;/ObjectDataProvider&gt;
+                &lt;SolidColorBrush x:Key="ThemeBrushBlue" Color="{Binding Source={StaticResource LaunchCalc}}"/&gt;
+              &lt;/ResourceDictionary&gt;
+            </S>
+          </LST>
+        </Obj>
+      </Props>
+    </Obj>
+    <MS>
+      <Obj N="__ClassMetadata" RefId="2">
+        <TN RefId="3">
+          <T>System.Collections.ArrayList</T>
+          <T>System.Object</T>
+        </TN>
+        <LST>
+          <Obj RefId="4">
+            <MS>
+              <S N="ClassName">SomeClassName</S>
+              <S N="Namespace">SomeNamespace</S>
+              <Nil N="ServerName" />
+              <I32 N="Hash">460929192</I32>
+              <S N="MiXml">&lt;CLASS NAME="SomeClassName"&gt;&lt;PROPERTY NAME="test1" TYPE="string"&gt;&lt;/PROPERTY&gt;&lt;/CLASS&gt;</S>
+            </MS>
+          </Obj>
+        </LST>
+      </Obj>
+    </MS>
+  </Obj>
+</Objs>

test/powershell/Modules/Microsoft.PowerShell.Utility/clixml.tests.ps1

@@ -185,3 +185,52 @@
         }
     }
 }
+
+##
+## CIM deserialization security vulnerability
+##
+Describe "Deserializing corrupted Cim classes should not instantiate non-Cim types" -Tags "Feature","Slow" {
+
+    BeforeAll {
+
+        # Only run on Windows platform.
+        # Ensure calc.exe is avaiable for test.
+        if ( !$IsWindows -or ((Get-Command calc.exe 2>$null) -eq $null) )
+        {
+            $orginalDefaultParameters = $PSDefaultParameterValues.Clone()
+            $PSDefaultParameterValues["it:skip"] = $true
+        }
+        else
+        {
+            (Get-Process -Name 'win32calc','calculator' 2>$null) | Stop-Process -Force -ErrorAction SilentlyContinue
+        }
+    }
+
+    AfterAll {
+
+        if ($orginalDefaultParameters -ne $null)
+        {
+            $PSDefaultParameterValues = $orginalDefaultParameters
+        }
+        else
+        {
+            (Get-Process -Name 'win32calc','calculator' 2>$null) | Stop-Process -Force -ErrorAction SilentlyContinue
+        }
+    }
+
+    It "Verifies that importing the corrupted Cim class does not launch calc.exe" {
+
+        Import-Clixml -Path (Join-Path $PSScriptRoot "assets\CorruptedCim.clixml")
+
+        # Wait up to 10 seconds for calc.exe to run
+        $calcProc = $null
+        $count = 0
+        while (!$calcProc -and ($count++ -lt 20))
+        {
+            $calcProc = Get-Process -Name 'win32calc','calculator' 2>$null
+            Start-Sleep -Milliseconds 500
+        }
+
+        $calcProc | Should BeNullOrEmpty
+    }
+}