Merge branch 'main' into fileMapping

phil-allen-msft · web-flow · commit 9697b44d220e · 2024-09-26T09:04:30.000-07:00
diff --git a/Directory.Packages.props b/Directory.Packages.props
@@ -2,26 +2,28 @@
 
   <PropertyGroup>
     <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
+    <CentralPackageTransitivePinningEnabled>true</CentralPackageTransitivePinningEnabled>
     <!-- This is due to noise caused from the Minimatch package, tracked at https://github.com/SLaks/Minimatch/issues/12 -->
     <NoWarn>$(NoWarn);NU1603</NoWarn>
     <WebToolsPackageVersion>17.7.273</WebToolsPackageVersion>
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageVersion Include="Microsoft.Bcl.AsyncInterfaces" Version="7.0.0" />
+    <PackageVersion Include="Microsoft.Bcl.AsyncInterfaces" Version="8.0.0" />
     <PackageVersion Include="Microsoft.Build.Framework" Version="17.8.3" />
     <PackageVersion Include="Microsoft.Build.Tasks.Core" Version="17.8.3" />
     <PackageVersion Include="Microsoft.Build.Utilities.Core" Version="17.8.3" />
     <PackageVersion Include="Microsoft.CodeAnalysis.FxCopAnalyzers" Version="3.3.1" />
+    <PackageVersion Include="Microsoft.IO.Redist" Version="6.0.1" />
     <PackageVersion Include="Microsoft.VisualStudio.Editor" Version="17.7.188" />
     <PackageVersion Include="Microsoft.VisualStudio.Internal.MicroBuild" Version="2.0.66" />
     <PackageVersion Include="Microsoft.VisualStudio.Language.Intellisense" Version="17.7.188" />
     <PackageVersion Include="Microsoft.VisualStudio.Settings.15.0" Version="17.5.33428.388" />
     <PackageVersion Include="Microsoft.VisualStudio.Shell.15.0" Version="17.7.37355" />
-    <PackageVersion Include="Microsoft.VisualStudio.Threading" Version="17.7.30" />
     <PackageVersion Include="Microsoft.VisualStudio.Telemetry" Version="17.7.57" />
+    <PackageVersion Include="Microsoft.VisualStudio.Threading" Version="17.7.30" />
     <PackageVersion Include="Microsoft.VisualStudio.Validation" Version="17.6.11" />
-    <PackageVersion Include="Microsoft.VSSDK.BuildTools" Version="17.7.2196" />
+    <PackageVersion Include="Microsoft.VSSDK.BuildTools" Version="17.10.2185" />
     <PackageVersion Include="Microsoft.WebTools.Languages.Css" Version="$(WebToolsPackageVersion)" />
     <PackageVersion Include="Microsoft.WebTools.Languages.Shared" Version="$(WebToolsPackageVersion)" />
     <PackageVersion Include="Microsoft.WebTools.Languages.Shared.Editor" Version="$(WebToolsPackageVersion)" />
@@ -34,14 +36,17 @@
     <PackageVersion Include="Nuget.VisualStudio" Version="17.7.1" />
 
     <PackageVersion Include="System.Collections.Immutable" Version="7.0.0" />
+    <PackageVersion Include="System.Formats.Asn1" Version="8.0.1" />
     <PackageVersion Include="System.Memory" Version="4.5.5" />
     <PackageVersion Include="System.Net.Http" Version="4.3.1" />
     <PackageVersion Include="System.Runtime" Version="4.3.0" />
     <PackageVersion Include="System.Runtime.CompilerServices.Unsafe" Version="6.0.0" />
     <PackageVersion Include="System.Runtime.Loader" Version="4.3.0" />
-    <PackageVersion Include="System.Security.Cryptography.ProtectedData" Version="4.5.0" />
+    <PackageVersion Include="System.Security.Cryptography.ProtectedData" Version="7.0.0" />
+    <PackageVersion Include="System.Security.Permissions" Version="7.0.0" />
+    <PackageVersion Include="System.Text.Json" Version="8.0.4" />
     <PackageVersion Include="System.Threading.Tasks.Extensions" Version="4.5.4"/>
-    <PackageVersion Include="System.ValueTuple" Version="4.3.0" />
+    <PackageVersion Include="System.ValueTuple" Version="4.5.0" />
 
     <!-- Test references -->
     <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="17.7.0" />
diff --git a/SECURITY.md b/SECURITY.md
@@ -1,35 +1,15 @@
-<!-- BEGIN MICROSOFT SECURITY.MD V0.0.1 BLOCK -->
+# Security Policy
 
-## Security
+## Supported Versions
 
-Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/Microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [many more](https://opensource.microsoft.com/).
+The .NET Core and ASP.NET Core support policy, including supported versions can be found at the [.NET Core Support Policy Page](https://dotnet.microsoft.com/platform/support/policy/dotnet-core).
 
-If you believe you have found a security vulnerability in any Microsoft-owned repository that meets Microsoft's [definition](https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc751383(v=technet.10)) of a security vulnerability, please report it to us as described below.
+## Reporting a Vulnerability
 
-## Reporting Security Issues
+Security issues and bugs should be reported privately to the Microsoft Security Response Center (MSRC), either by emailing secure@microsoft.com or via the portal at https://msrc.microsoft.com.
+You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your
+original message. Further information, including the MSRC PGP key, can be found in the [MSRC Report an Issue FAQ](https://www.microsoft.com/en-us/msrc/faqs-report-an-issue).
 
-**Please do not report security vulnerabilities through public GitHub issues.** Instead, please report them to the Microsoft Security Response Center at [secure@microsoft.com](mailto:secure@microsoft.com).  If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://technet.microsoft.com/en-us/security/dn606155).
+Reports via MSRC may qualify for the .NET Core Bug Bounty. Details of the .NET Core Bug Bounty including terms and conditions are at [https://aka.ms/corebounty](https://aka.ms/corebounty).
 
-You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://www.microsoft.com/msrc).
-
-Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
-
-  * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
-  * Full paths of source file(s) related to the manifestation of the issue
-  * The location of the affected source code (tag/branch/commit or direct URL)
-  * Any special configuration required to reproduce the issue
-  * Step-by-step instructions to reproduce the issue
-  * Proof-of-concept or exploit code (if possible)
-  * Impact of the issue, including how an attacker might exploit the issue
-
-This information will help us triage your report more quickly.
-
-## Preferred Languages
-
-We prefer all communications to be in English.
-
-## Policy
-
-Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://www.microsoft.com/en-us/msrc/cvd).
-
-<!-- END MICROSOFT SECURITY.MD BLOCK -->
+Please do not open issues for anything you think might have a security implication.
diff --git a/azure-pipelines/official.yml b/azure-pipelines/official.yml
@@ -4,6 +4,16 @@ trigger:
   paths:
     exclude: ["*.md"]
 
+schedules:
+  - cron: "0 8 22-28 * 0" # Fourth Sunday of each month at 8:00 UTC
+    displayName: "Monthly build check"
+    branches:
+      include: 
+        - main
+        - rel/*
+    always: true # Run even if there have been no source code changes since the last successful scheduled run
+    batch: false # Do not run the pipeline if the previously scheduled run is in-progress
+
 variables:
   DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
   BuildConfiguration: Release
diff --git a/src/LibraryManager/Json/LibraryStateToFileConverter.cs b/src/LibraryManager/Json/LibraryStateToFileConverter.cs
@@ -2,6 +2,8 @@
 // The .NET Foundation licenses this file to you under the MIT license.
 
 using System.Linq;
+using System.Diagnostics.CodeAnalysis;
+using System.Text;
 using Microsoft.Web.LibraryManager.Contracts;
 using Microsoft.Web.LibraryManager.LibraryNaming;
 
@@ -26,10 +28,14 @@ public ILibraryInstallationState ConvertToLibraryInstallationState(LibraryInstal
             }
 
             string provider = string.IsNullOrEmpty(stateOnDisk.ProviderId) ? _defaultProvider : stateOnDisk.ProviderId;
-            string destination = string.IsNullOrEmpty(stateOnDisk.DestinationPath) ? _defaultDestination : stateOnDisk.DestinationPath;
+
+            (string name, string version) = LibraryIdToNameAndVersionConverter.Instance.GetLibraryNameAndVersion(stateOnDisk.LibraryId, provider);
+            string destination = string.IsNullOrEmpty(stateOnDisk.DestinationPath) ? ExpandDestination(_defaultDestination, name, version) : stateOnDisk.DestinationPath;
 
             var state = new LibraryInstallationState()
             {
+                Name = name,
+                Version = version,
                 IsUsingDefaultDestination = string.IsNullOrEmpty(stateOnDisk.DestinationPath),
                 IsUsingDefaultProvider = string.IsNullOrEmpty(stateOnDisk.ProviderId),
                 ProviderId = provider,
@@ -38,11 +44,34 @@ public ILibraryInstallationState ConvertToLibraryInstallationState(LibraryInstal
                 FileMappings = stateOnDisk.FileMappings?.Select(f => new Contracts.FileMapping { Destination = f.Destination, Root = f.Root, Files = f.Files }).ToList(),
             };
 
-            (state.Name, state.Version) = LibraryIdToNameAndVersionConverter.Instance.GetLibraryNameAndVersion(stateOnDisk.LibraryId, provider);
-
             return state;
         }
 
+        /// <summary>
+        /// Expands [Name] and [Version] tokens in the DefaultDestination
+        /// </summary>
+        /// <param name="destination">The default destination string</param>
+        /// <param name="name">Package name</param>
+        /// <param name="version">Package version</param>
+        /// <returns></returns>
+        [SuppressMessage("Globalization", "CA1307:Specify StringComparison for clarity", Justification = "Not available on net481, not needed here (caseless)")]
+        private string ExpandDestination(string destination, string name, string version)
+        {
+            if (!destination.Contains("["))
+            {
+                return destination;
+            }
+
+            // if the name contains a slash (either filesystem or scoped packages),
+            // trim that and only take the last segment.
+            int cutIndex = name.LastIndexOfAny(['/', '\\']);
+
+            StringBuilder stringBuilder = new StringBuilder(destination);
+            stringBuilder.Replace("[Name]", cutIndex == -1 ? name : name.Substring(cutIndex + 1));
+            stringBuilder.Replace("[Version]", version);
+            return stringBuilder.ToString();
+        }
+
         public LibraryInstallationStateOnDisk ConvertToLibraryInstallationStateOnDisk(ILibraryInstallationState state)
         {
             if (state == null)
diff --git a/test/LibraryManager.Test/Json/LibraryStateToFileConverterTests.cs b/test/LibraryManager.Test/Json/LibraryStateToFileConverterTests.cs
@@ -0,0 +1,109 @@
+﻿// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.IO;
+using Microsoft.VisualStudio.TestTools.UnitTesting;
+using Microsoft.Web.LibraryManager.Contracts;
+using Microsoft.Web.LibraryManager.Json;
+using Microsoft.Web.LibraryManager.LibraryNaming;
+using Microsoft.Web.LibraryManager.Mocks;
+using Microsoft.Web.LibraryManager.Providers.Cdnjs;
+
+namespace Microsoft.Web.LibraryManager.Test.Json
+{
+    [TestClass]
+    public class LibraryStateToFileConverterTests
+    {
+        [TestInitialize]
+        public void Setup()
+        {
+            string cacheFolder = Environment.ExpandEnvironmentVariables(@"%localappdata%\Microsoft\Library\");
+            string projectFolder = Path.Combine(Path.GetTempPath(), "LibraryManager");
+            var hostInteraction = new HostInteraction(projectFolder, cacheFolder);
+            var dependencies = new Dependencies(hostInteraction, new CdnjsProviderFactory());
+            IProvider provider = dependencies.GetProvider("cdnjs");
+            LibraryIdToNameAndVersionConverter.Instance.Reinitialize(dependencies);
+        }
+
+        [TestMethod]
+        public void ConvertToLibraryInstallationState_NullStateOnDisk()
+        {
+            LibraryStateToFileConverter converter = new LibraryStateToFileConverter("provider", "destination");
+
+            ILibraryInstallationState result = converter.ConvertToLibraryInstallationState(null);
+
+            Assert.IsNull(result);
+        }
+
+        [TestMethod]
+        public void ConvertToLibraryInstallationState_UseDefaultProviderAndDestination()
+        {
+            LibraryStateToFileConverter converter = new LibraryStateToFileConverter("defaultProvider", "defaultDestination");
+
+            var stateOnDisk = new LibraryInstallationStateOnDisk
+            {
+                LibraryId = "libraryId",
+            };
+
+            ILibraryInstallationState result = converter.ConvertToLibraryInstallationState(stateOnDisk);
+
+            Assert.AreEqual("defaultProvider", result.ProviderId);
+            Assert.AreEqual("defaultDestination", result.DestinationPath);
+        }
+
+        [TestMethod]
+        public void ConvertToLibraryInstallationState_OverrideProviderAndDestination()
+        {
+            LibraryStateToFileConverter converter = new LibraryStateToFileConverter("defaultProvider", "defaultDestination");
+
+            var stateOnDisk = new LibraryInstallationStateOnDisk
+            {
+                LibraryId = "libraryId",
+                ProviderId = "provider",
+                DestinationPath = "destination",
+            };
+
+            ILibraryInstallationState result = converter.ConvertToLibraryInstallationState(stateOnDisk);
+
+            Assert.AreEqual("provider", result.ProviderId);
+            Assert.AreEqual("destination", result.DestinationPath);
+        }
+
+        [TestMethod]
+        public void ConvertToLibraryInstallationState_ExpandTokensInDefaultDestination()
+        {
+            LibraryStateToFileConverter converter = new LibraryStateToFileConverter("defaultProvider", "lib/[Name]/[Version]");
+
+            var stateOnDisk = new LibraryInstallationStateOnDisk
+            {
+                LibraryId = "testLibraryId@1.0",
+                // it needs to be a provider that uses the versioned naming scheme
+                ProviderId = "cdnjs",
+            };
+
+            ILibraryInstallationState result = converter.ConvertToLibraryInstallationState(stateOnDisk);
+
+            Assert.AreEqual("lib/testLibraryId/1.0", result.DestinationPath);
+        }
+
+        [TestMethod]
+        [DataRow("filesystem", "c:\\path\\to\\library")]
+        [DataRow("filesystem", "/path/to/library")]
+        [DataRow("cdnjs", "@scope/library@1.0.0")]
+        public void ConvertToLibraryInstallationState_ExpandTokensInDefaultDestination_NamesWithSlashes(string provider, string libraryId)
+        {
+            LibraryStateToFileConverter converter = new LibraryStateToFileConverter("defaultProvider", "lib/[Name]");
+
+            var stateOnDisk = new LibraryInstallationStateOnDisk
+            {
+                LibraryId = libraryId,
+                ProviderId = provider,
+            };
+
+            ILibraryInstallationState result = converter.ConvertToLibraryInstallationState(stateOnDisk);
+
+            Assert.AreEqual("lib/library", result.DestinationPath);
+        }
+    }
+}
