Open
Description
Motivation
There are various MSBuild extensibility points that are enabled by default, but users might not be using them or even not aware of them.
Over time we should allow native stricter mode of MSBuild where extensibilities would need to be explicitly opted in. But for now for easier testing and piloting of such restrictions - let's have those as a BuildCheck.
Possible extensibilites to check
Couple smples to make configurable to be disabled:
- Response files (from various locations)
- MSBuildExtensionsPath
- MSBuildUserExtensionsPath
- Directory.Build.props, Directory.Build.targets (especially when included from outside of the root of the current solution or enlistment)
- Exec task, DownloadFile task, ToolTask (those are too permisive, while not needed by large proportion of the builds (telemetry to support this is TBD))
- Custom tasks
Note
Since BuildCheck will mostly operate on logging events - it will be too late to block possible suspitious or malicious action. It's rather intended to inform about such actions (e.g. by failing the build)