From 55768a20adaa1b5a9158cf3cfdc2f8733ddf43ab Mon Sep 17 00:00:00 2001
From: Tarek Mahmoud Sayed <tarekms@microsoft.com>
Date: Fri, 10 Feb 2023 22:18:48 +0000
Subject: [PATCH] Fix TimeZone when reading invalid TZ files

Add validation to TZ Ids.
---
 .../src/Resources/Strings.resx                |  6 +++
 .../System/TimeZoneInfo.Unix.NonAndroid.cs    | 48 ++++++++++++++++++-
 .../tests/System/TimeZoneInfoTests.cs         |  5 ++
 3 files changed, 57 insertions(+), 2 deletions(-)

diff --git a/src/libraries/System.Private.CoreLib/src/Resources/Strings.resx b/src/libraries/System.Private.CoreLib/src/Resources/Strings.resx
index 9b8eee748e7132..66a83c4b379817 100644
--- a/src/libraries/System.Private.CoreLib/src/Resources/Strings.resx
+++ b/src/libraries/System.Private.CoreLib/src/Resources/Strings.resx
@@ -2603,6 +2603,9 @@
   <data name="InvalidProgram_Default" xml:space="preserve">
     <value>Common Language Runtime detected an invalid program.</value>
   </data>
+  <data name="InvalidTimeZone_InvalidId" xml:space="preserve">
+    <value>The time zone ID '{0}' is invalid.</value>
+  </data>
   <data name="InvalidTimeZone_InvalidFileData" xml:space="preserve">
     <value>The time zone ID '{0}' was found on the local computer, but the file at '{1}' was corrupt.</value>
   </data>
@@ -2627,6 +2630,9 @@
   <data name="IO_NoFileTableInInMemoryAssemblies" xml:space="preserve">
     <value>This assembly does not have a file table because it was loaded from memory.</value>
   </data>
+  <data name="IO_UnseekableFile" xml:space="preserve">
+    <value>Unsupported unseekable file.</value>
+  </data>
   <data name="IO_EOF_ReadBeyondEOF" xml:space="preserve">
     <value>Unable to read beyond the end of the stream.</value>
   </data>
diff --git a/src/libraries/System.Private.CoreLib/src/System/TimeZoneInfo.Unix.NonAndroid.cs b/src/libraries/System.Private.CoreLib/src/System/TimeZoneInfo.Unix.NonAndroid.cs
index a9d6c462610fe6..16be46b6c01117 100644
--- a/src/libraries/System.Private.CoreLib/src/System/TimeZoneInfo.Unix.NonAndroid.cs
+++ b/src/libraries/System.Private.CoreLib/src/System/TimeZoneInfo.Unix.NonAndroid.cs
@@ -24,17 +24,61 @@ private static TimeZoneInfo GetLocalTimeZoneCore()
             return GetLocalTimeZoneFromTzFile();
         }
 
+        private static byte[] ReadAllBytesFromSeekableNonZeroSizeFile(string path, int maxFileSize)
+        {
+            using FileStream fs = File.OpenRead(path);
+            if (!fs.CanSeek)
+            {
+                throw new IOException(SR.IO_UnseekableFile);
+            }
+
+            if (fs.Length == 0 || fs.Length > maxFileSize)
+            {
+                throw new IOException(fs.Length == 0 ? SR.IO_InvalidReadLength : SR.IO_FileTooLong);
+            }
+
+            byte[] bytes = new byte[fs.Length];
+            fs.ReadExactly(bytes, 0, bytes.Length);
+            return bytes;
+        }
+
+        // Bitmap covering the ASCII range. The bits is set for the characters [a-z], [A-Z], [0-9], '/', '-', and '_'.
+        private static byte[] asciiBitmap = new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0xA8, 0xFF, 0x03, 0xFE, 0xFF, 0xFF, 0x87, 0xFE, 0xFF, 0xFF, 0x07 };
+        private static bool IdContainsAnyDisallowedChars(string zoneId)
+        {
+            for (int i = 0; i < zoneId.Length; i++)
+            {
+                int c = zoneId[i];
+                if (c > 0x7F)
+                {
+                    return true;
+                }
+                int value = c >> 3;
+                if ((asciiBitmap[value] & (ulong)(1UL << (c - (value << 3)))) == 0)
+                {
+                    return true;
+                }
+            }
+            return false;
+        }
+
         private static TimeZoneInfoResult TryGetTimeZoneFromLocalMachineCore(string id, out TimeZoneInfo? value, out Exception? e)
         {
             value = null;
             e = null;
 
+            if (Path.IsPathRooted(id) || IdContainsAnyDisallowedChars(id))
+            {
+                e = new TimeZoneNotFoundException(SR.Format(SR.InvalidTimeZone_InvalidId, id));
+                return TimeZoneInfoResult.TimeZoneNotFoundException;
+            }
+
             string timeZoneDirectory = GetTimeZoneDirectory();
             string timeZoneFilePath = Path.Combine(timeZoneDirectory, id);
             byte[] rawData;
             try
             {
-                rawData = File.ReadAllBytes(timeZoneFilePath);
+                rawData = ReadAllBytesFromSeekableNonZeroSizeFile(timeZoneFilePath, maxFileSize: 20 * 1024 * 1024 /* 20 MB */); // timezone files usually less than 1 MB.
             }
             catch (UnauthorizedAccessException ex)
             {
@@ -51,7 +95,7 @@ private static TimeZoneInfoResult TryGetTimeZoneFromLocalMachineCore(string id,
                 e = ex;
                 return TimeZoneInfoResult.TimeZoneNotFoundException;
             }
-            catch (IOException ex)
+            catch (Exception ex) when (ex is IOException || ex is OutOfMemoryException)
             {
                 e = new InvalidTimeZoneException(SR.Format(SR.InvalidTimeZone_InvalidFileData, id, timeZoneFilePath), ex);
                 return TimeZoneInfoResult.InvalidTimeZoneException;
diff --git a/src/libraries/System.Runtime/tests/System/TimeZoneInfoTests.cs b/src/libraries/System.Runtime/tests/System/TimeZoneInfoTests.cs
index ea3b1bfdef1a6c..8a8eb06bc81204 100644
--- a/src/libraries/System.Runtime/tests/System/TimeZoneInfoTests.cs
+++ b/src/libraries/System.Runtime/tests/System/TimeZoneInfoTests.cs
@@ -2083,6 +2083,11 @@ public static IEnumerable<object[]> ConvertTime_DateTimeOffset_InvalidDestinatio
             yield return new object[] { s_strPacific + "\\Display" };
             yield return new object[] { s_strPacific + "\n" }; // no trailing newline
             yield return new object[] { new string('a', 100) }; // long string
+            yield return new object[] { "/dev/random" };
+            yield return new object[] { "Invalid Id" };
+            yield return new object[] { "Invalid/Invalid" };
+            yield return new object[] { $"./{s_strPacific}" };
+            yield return new object[] { $"{s_strPacific}/../{s_strPacific}" };
         }
 
         [Theory]