Skip to content

Add warning for untrusted .NET templates #49074

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Oct 14, 2025
Merged

Add warning for untrusted .NET templates #49074

merged 4 commits into from
Oct 14, 2025

Conversation

marcpopMSFT
Copy link
Member

@marcpopMSFT marcpopMSFT commented Oct 10, 2025
edited by github-actions bot
Loading

Added a warning about untrusted .NET templates.

Summary

We wanted to make sure customers knew that installing and running untrusted templates came with risk. Let me know if I should update the dotnet new install documentation as well.

Internal previews

📄 File 🔗 Preview link
docs/core/tools/custom-templates.md docs/core/tools/custom-templates
docs/core/tools/dotnet-new-install.md docs/core/tools/dotnet-new-install

@marcpopMSFT
Add warning for untrusted .NET templates
fc39093 
Added a warning about untrusted .NET templates.
@Copilot Copilot AI review requested due to automatic review settings October 10, 2025 17:23
@marcpopMSFT marcpopMSFT requested a review from a team as a code owner October 10, 2025 17:23
@dotnetrepoman dotnetrepoman bot added this to the October 2025 milestone Oct 10, 2025
Copilot
Copilot AI reviewed Oct 10, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds a security warning to inform users about the risks of installing and running untrusted .NET templates. The warning explains that templates can execute MSBuild code, making them potentially dangerous if they come from untrusted sources.

  • Added a warning callout about security risks of untrusted templates

@marcpopMSFT marcpopMSFT requested a review from blowdart October 10, 2025 17:24
meaghanlewis
meaghanlewis reviewed Oct 10, 2025
View reviewed changes
meaghanlewis
meaghanlewis approved these changes Oct 10, 2025
View reviewed changes
Copy link
Contributor

@meaghanlewis meaghanlewis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@marcpopMSFT thanks for this PR! I left a warning style and wording change update for you.

And yes, please feel free to update the dotnet new install documentation too.

@blowdart
Copy link
Contributor

I would be more formal than @meaghanlewis suggested with

Templates can run MSBuild code when triggered, do not install or run untrusted .NET templates.

(italics to highlight my wording change, not for the final edit)

@marcpopMSFT
Copy link
Member Author

Thank you both. I used blowdart text. I also added it to the dotnet new install documentation as well. I put it up near the top where it's less likely to be missed. I thought about putting it at the bottom or the end of the description section but was worried it would blend in too much. Thoughts on where I put it on that doc, @meaghanlewis ?

meaghanlewis
meaghanlewis reviewed Oct 13, 2025
View reviewed changes
marcpopMSFT and others added 2 commits October 13, 2025 16:28
@marcpopMSFT @meaghanlewis
Apply suggestions from code review
2364546 
Co-authored-by: Meaghan Osagie (Lewis) <mosagie@microsoft.com>
@marcpopMSFT
Move warning for untrusted .NET templates to description
4da8dfb 
Reinstate warning about untrusted .NET templates.
@meaghanlewis
Copy link
Contributor

@marcpopMSFT thanks for the updates!

@meaghanlewis meaghanlewis merged commit 88ba524 into main Oct 14, 2025
10 checks passed
@meaghanlewis meaghanlewis deleted the marcpopMSFT-patch-1 branch October 14, 2025 00:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@meaghanlewis meaghanlewis meaghanlewis approved these changes

Copilot code review Copilot Copilot left review comments

@blowdart blowdart Awaiting requested review from blowdart

Assignees

No one assigned

Labels

dotnet-cli/subsvc dotnet-fundamentals/svc

Projects

None yet

Milestone

October 2025

Development

Successfully merging this pull request may close these issues.

3 participants

@marcpopMSFT @blowdart @meaghanlewis