Within the function Load() which takes an assembly path from the user's plugin
`
private Assembly Load(string relativePath)
{
...
var entryAssembly = Assembly.GetEntryAssembly() ??
throw new InvalidOperationException("Entry assembly not found");
var binFolder = Path.GetDirectoryName(entryAssembly.Location);
string assemblyPath = Path.Combine(binFolder!, relativePath);
var customLoadContext = new PluginLoadContext();
var assembly = customLoadContext.LoadFromAssemblyPath(assemblyPath);
_loadedAssemblies.Add(relativePath, assembly);
return assembly;
}
`
Should a user include the assembly path "../../../" they will be able to load assemblies from outside the entry assembly path. To fix simply include the following code within the Load() function
string assemblyPath = Path.Combine(binFolder!, relativePath); if (!Path.GetFullPath(assemblyPath).StartsWith(binFolder)) { throw new Exception("Attempted to load assembly from illegal location"); }
This would allow a theoretical attacker to load dangerous types from any existing .NET assemblies on the server.
The bug exists in the file PluginLoader.cs here
Within the function Load() which takes an assembly path from the user's plugin
` private Assembly Load(string relativePath) { ... var entryAssembly = Assembly.GetEntryAssembly() ?? throw new InvalidOperationException("Entry assembly not found");
`
Should a user include the assembly path "../../../" they will be able to load assemblies from outside the entry assembly path. To fix simply include the following code within the Load() function
string assemblyPath = Path.Combine(binFolder!, relativePath); if (!Path.GetFullPath(assemblyPath).StartsWith(binFolder)) { throw new Exception("Attempted to load assembly from illegal location"); }
This would allow a theoretical attacker to load dangerous types from any existing .NET assemblies on the server.