Merge pull request #2430 from dotnet/dev/arpit/release_1b

Loose xaml can contain executable payload e.g. `ObjectDataProvider`. This Xaml can be included as part of `XpsDocument`s or base-64 encoded and then included in `StickyNote`s' annotation xml files.

In WPF, we were allowing `XpsDocument`s and `StickyNote`s' annotation xml files to be loaded freely via `XamlReader.Load`.

This exposes an attack vector - when a user downloads an XPS file from the internet for *viewing*, they could end up executing untrusted code.

The fix is to identify known dangerous types and limit them from being deserialized during XAML loading.

In order to accomplish this, we add new _non-public_ overloads to the `XamlReader.Load` method to enable the use of `RestrictiveXamlXmlReader`. `RestrictiveXamlXmlReader` restricts known dangerous types from being loaded while deserializing xaml.

We then call `XamlReader.Load` via `XamlReaderProxy`, which is an adapter for `XamlReader` type and uses reflection to access `XamlReader.Load`. Reflection is used to avoid adding additional public surface area to `XamlReader` in servicing.

Small changes are made to `TextRange` as well since the call-site for the `StickyNote`s case was through a call to `TextRange` which in turn calls into `XamlReader.Load`.

Author: arpitmathur

src/Microsoft.DotNet.Wpf/cycle-breakers/PresentationFramework/PresentationFramework.cs

@@ -11407,13 +11407,20 @@ public void CancelAsync() { }
         public static System.Xaml.XamlSchemaContext GetWpfSchemaContext() { throw null; }
         public static object Load(System.IO.Stream stream) { throw null; }
         public static object Load(System.IO.Stream stream, System.Windows.Markup.ParserContext parserContext) { throw null; }
+        public static object Load(System.IO.Stream stream, System.Windows.Markup.ParserContext parserContext, bool useRestrictiveXamlReader) { throw null; }
         public static object Load(System.Xaml.XamlReader reader) { throw null; }
         public static object Load(System.Xml.XmlReader reader) { throw null; }
+        public static object Load(System.Xml.XmlReader reader, bool useRestrictiveXamlReader) { throw null; }
         public object LoadAsync(System.IO.Stream stream) { throw null; }
+        public object LoadAsync(System.IO.Stream stream, bool useRestrictiveXamlReader) { throw null; }
         public object LoadAsync(System.IO.Stream stream, System.Windows.Markup.ParserContext parserContext) { throw null; }
+        public object LoadAsync(System.IO.Stream stream, System.Windows.Markup.ParserContext parserContext, bool useRestrictiveXamlReader) { throw null; }
         public object LoadAsync(System.Xml.XmlReader reader) { throw null; }
+        public object LoadAsync(System.Xml.XmlReader reader, bool useRestrictiveXamlReader) { throw null; }
         public static object Parse(string xamlText) { throw null; }
+        public static object Parse(string xamlText, bool useRestrictiveXamlReader) { throw null; }
         public static object Parse(string xamlText, System.Windows.Markup.ParserContext parserContext) { throw null; }
+        public static object Parse(string xamlText, System.Windows.Markup.ParserContext parserContext, bool useRestrictiveXamlReader) { throw null; }
     }
     public partial class XamlTypeMapper
     {

src/Microsoft.DotNet.Wpf/src/PresentationFramework/MS/Internal/Controls/StickyNote/StickyNoteContentControl.cs

@@ -234,7 +234,7 @@ public override void Load(XmlNode node)
                 RichTextBox richTextBox = (RichTextBox)InnerControl;
 
                 FlowDocument document = new FlowDocument();
-                TextRange rtbRange = new TextRange(document.ContentStart, document.ContentEnd);
+                TextRange rtbRange = new TextRange(document.ContentStart, document.ContentEnd, useRestrictiveXamlXmlReader: true);
                 using (MemoryStream buffer = new MemoryStream(Convert.FromBase64String(node.InnerText)))
                 {
                     rtbRange.Load(buffer, DataFormats.Xaml);

src/Microsoft.DotNet.Wpf/src/PresentationFramework/System/Windows/Documents/TextRange.cs

@@ -65,6 +65,24 @@ public TextRange(TextPointer position1, TextPointer position2) :
         internal TextRange(ITextPointer position1, ITextPointer position2)
             : this(position1, position2, false /* ignoreTextUnitBoundaries */)
         {
+        }
+
+        /// <summary>
+        /// Creates a new TextRange instance.
+        /// </summary>
+        /// <param name="position1">
+        /// </param>
+        /// TextPointer specifying the static end of the new TextRange.
+        /// <param name="position2">
+        /// TextPointer specifying the dynamic end of the new TextRange.
+        /// </param>
+        /// <param name="useRestrictiveXamlXmlReader">
+        /// Boolean flag. False by default, set to true to disable external xaml loading in specific scenarios like StickyNotes annotation loading
+        /// </param>
+        internal TextRange(TextPointer position1, TextPointer position2, bool useRestrictiveXamlXmlReader) :
+            this((ITextPointer)position1, (ITextPointer)position2)
+        {
+            _useRestrictiveXamlXmlReader = useRestrictiveXamlXmlReader;
         }
 
         // ignoreTextUnitBoundaries - true if normalization should ignore text
@@ -1366,7 +1384,7 @@ internal string Xml
                 try
                 {
                     // Parse the fragment into a separate subtree
-                    object xamlObject = XamlReader.Load(new XmlTextReader(new System.IO.StringReader(value)));
+                    object xamlObject = XamlReader.Load(new XmlTextReader(new System.IO.StringReader(value)), _useRestrictiveXamlXmlReader);
                     TextElement fragment = xamlObject as TextElement;
 
                     if (fragment != null)
@@ -1900,6 +1918,9 @@ private enum Flags
         // Boolean flags, set with Flags enum.
         private Flags _flags;
 
+        // Boolean flag, set to true via constructor when you want to use the RestrictiveXamlXmlReader  
+        private bool _useRestrictiveXamlXmlReader;
+
         #endregion Private Fields
     }
 }