Plugin path traversal bug allows for loading an assembly from an arbitrary location

[xamroot]

The bug exists in the file PluginLoader.cs here

Within the function Load() which takes an assembly path from the user's plugin

` private Assembly Load(string relativePath) { ... var entryAssembly = Assembly.GetEntryAssembly() ?? throw new InvalidOperationException("Entry assembly not found");

    var binFolder = Path.GetDirectoryName(entryAssembly.Location);

    string assemblyPath = Path.Combine(binFolder!, relativePath);

    var customLoadContext = new PluginLoadContext();

    var assembly = customLoadContext.LoadFromAssemblyPath(assemblyPath);

    _loadedAssemblies.Add(relativePath, assembly);

    return assembly;
}

`

Should a user include the assembly path "../../../" they will be able to load assemblies from outside the entry assembly path. To fix simply include the following code within the Load() function

string assemblyPath = Path.Combine(binFolder!, relativePath); if (!Path.GetFullPath(assemblyPath).StartsWith(binFolder)) { throw new Exception("Attempted to load assembly from illegal location"); }

This would allow a theoretical attacker to load dangerous types from any existing .NET assemblies on the server.

[pournasserian]

@xamroot thanks for reporting the issue.