Skip to content

Address feedback: enforce Azure DLL public key token at bind time under STRONG_NAME_SIGNING#3983

Merged
paulmedynski merged 2 commits intodev/paul/verify-assembliesfrom
copilot/sub-pr-3978
Feb 25, 2026
Merged

Address feedback: enforce Azure DLL public key token at bind time under STRONG_NAME_SIGNING#3983
paulmedynski merged 2 commits intodev/paul/verify-assembliesfrom
copilot/sub-pr-3978

Conversation

Copy link
Contributor

Copilot AI commented Feb 25, 2026
edited
Loading

Description

When STRONG_NAME_SIGNING is enabled, the previous approach loaded the Azure extension assembly by simple name first, then checked the public key token post-load. This meant a malicious assembly with the same simple name could execute module initializers before the check ran.

Fix: Under #if STRONG_NAME_SIGNING, build a fully-qualified AssemblyName with the expected public key token set via SetPublicKeyToken before calling Assembly.Load. The CLR then enforces the token at bind time — the wrong assembly is never loaded.

#if STRONG_NAME_SIGNING
var qualifiedName = new AssemblyName(assemblyName);
qualifiedName.SetPublicKeyToken([0x23, 0xec, 0x7f, 0xc2, 0xd6, 0xea, 0xa4, 0xa5]);
var assembly = Assembly.Load(qualifiedName);  // runtime enforces token during binding
#else
var assembly = Assembly.Load(assemblyName);
#endif

Token mismatch or missing assembly causes Assembly.Load to throw FileNotFoundException, already handled by the existing catch block. The redundant post-load token check block has been removed.

Without STRONG_NAME_SIGNING, behavior is unchanged — simple name load as before.

Issues

Addresses review feedback on #3978.

Testing

The existing exception handling covers the token-mismatch failure path (runtime throws FileNotFoundException on token mismatch, caught by the existing handler). No new automated tests added; the behavior under STRONG_NAME_SIGNING is exercised by the existing AKV provider load path in the build that enables signing.

Guidelines

Please review the contribution guidelines before submitting a pull request:

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@github-project-automation github-project-automation bot moved this to To triage in SqlClient Board Feb 25, 2026
Copilot AI mentioned this pull request Feb 25, 2026
Merged
@paulmedynski
Load Azure extension assembly with public key token under STRONG_NAME…
c27acee 
…_SIGNING

Co-authored-by: paulmedynski <31868385+paulmedynski@users.noreply.github.com>
Copilot AI changed the title [WIP] Update Azure DLL verification via public key token Address feedback: enforce Azure DLL public key token at bind time under STRONG_NAME_SIGNING Feb 25, 2026
@paulmedynski paulmedynski marked this pull request as ready for review February 25, 2026 17:52
@paulmedynski paulmedynski requested a review from a team as a code owner February 25, 2026 17:52
Copilot AI review requested due to automatic review settings February 25, 2026 17:52
@paulmedynski paulmedynski moved this from To triage to In review in SqlClient Board Feb 25, 2026
Copilot AI reviewed Feb 25, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses a security vulnerability in how the Azure extension assembly is loaded under strong-name signing. The previous approach in PR #3978 loaded the assembly by simple name first, then validated the public key token post-load. This created a window where a malicious assembly with the same simple name could execute module initializers before the validation occurred.

Changes:

  • Moved public key token enforcement to bind time by calling SetPublicKeyToken before Assembly.Load under STRONG_NAME_SIGNING
  • Removed redundant post-load token validation block (18 lines)
  • Leverages existing exception handling (FileNotFoundException is already caught) to handle token mismatch failures

@paulmedynski paulmedynski merged commit 0245de5 into dev/paul/verify-assemblies Feb 25, 2026
6 of 10 checks passed
@paulmedynski paulmedynski deleted the copilot/sub-pr-3978 branch February 25, 2026 17:56
@github-project-automation github-project-automation bot moved this from In review to Done in SqlClient Board Feb 25, 2026
@mdaigle mdaigle added this to the 7.0.0-preview4 milestone Mar 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@paulmedynski paulmedynski paulmedynski approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@paulmedynski paulmedynski

Copilot code review Copilot

Labels

None yet

Projects

SqlClient Board
Status: Done

Milestone

7.0.0-preview4

Development

Successfully merging this pull request may close these issues.

4 participants

@paulmedynski @mdaigle