Page 1 of 1

Running an exported form in ConstrainedLanguage mode causes massive errors

Posted: Thu Jul 11, 2019 4:52 am
by FrankAndrew
Product, version and build: PowerShell Studio 2019, 5.6.165
32 or 64 bit version of product: 64bit
Operating system: Windows 10 Enterprise (1809)
32 or 64 bit OS: 64bit

I have tried to run an exported form at a location in our network where ONLY the "ConstrainedLanguage" mode is allowed and it throws massive numbers of errors before finally running aground, which is totally understandable, due to the fact that Reflection is NOT allowed in the "ConstrainedLanguage" mode.

Now that you guys have gotten to know the "ConstrainedLanguage" mode I have a small request.

Please add the following code, or something else to this effect, to the top of each generated *.Export.ps1" file right after the param() section, if one exists, so that these scripts CAN error out gracefully and the user will have some sense as to why it will NOT work.

Code: Select all

$languageMode = $ExecutionContext.SessionState.LanguageMode.ToString().ToUpper()
If ($languageMode.Equals("CONSTRAINEDLANGUAGE")) {
   Write-Error -Message "`nRunning in the `"ConstrainedLanguage`" mode!`nPowerShell Forms will NOT work in this mode!`n`nContact your system administrator!"
   Exit
}
If you implement this, or something similar, I am sure you will prevent the creation of unnecessary problem tickets. :D

Re: Running an exported form in ConstrainedLanguage mode causes massive errors

Posted: Thu Jul 11, 2019 5:01 am
by Alexander Riedel
We sent a request regarding this constrained mode around. Since we have no encountered this before we suspected it is not in very wide use.
Below is the reply from Lee Holmes at Microsoft on this subject:

It might be a good time to talk to your customer 😊 Anything but NoLanguage mode in an endpoint is a security vulnerability.
99% of the security boundary in JEA comes from the commands you are allowed to call. Callers are allowed to invoke any ‘Public’ commands, and (of course), those public commands can call any commands at all.
The security issue is that ConstrainedLanguage lets you define functions. So the functions you define can call literally any command, thereby destroying the security boundary (of which commands people are allowed to call).

https://youtu.be/M5bkHUQy-JA?t=5172

Lee


If I understand that correctly, ConstrainedLanguage mode will not provide you with any added security anyway.

Re: Running an exported form in ConstrainedLanguage mode causes massive errors

Posted: Thu Jul 11, 2019 5:13 am
by FrankAndrew
Hi Alex,

Thanks for the FAST responce, you are FAST as always.

I will pass this information back to our Client Admin guys.

But I think those five lines of code would be helpful, I don't think they will hurt anybody.

Gruß,
Drew