[BUG]: ProcessInvokerWrapper does not support Constrained Language Mode

[timbrigham-oc]

What happened?

While attempting to run any of the common tasks (script, powershell, powershell@2) the following error occurs on WDAC & CLM enabled devices. This makes using the Azure DevOps agent to test on endpoints hardened with this technology impossible. Please note that this is not a problem with a single task. I believe that this does not belong with the team at Azure-Pipelines-Tasks as a result. Using ProcMon while executing a pipeline shows definitively that Agent.Worker.exe is responsible for spawning a PowerShell instance with dynamic, unsigned code via the prompt instead of a script file.

The error received is the same for all tasks:
Cannot invoke method. Method invocation is supported only on core types in this language mode.

On analysis of the logs, the ProcessInvokerWrapper statement from the worker log shows that there is code being executed directly through a PowerShell prompt, included in the bug report.

Since this code is being executed from the PowerShell prompt and not a script file it isn't signable. Not signable dynamic code equals CLM. CLM in use results in "Method invocation is supported only on core types in this language mode."

The method invocation failure results in not being able to test real world hardened devices using a ADO pipeline.

Versions

This has been received on agents from version 2.1.x (historical device which is now decommissioned) until 3.227.2.
Occurs with any Windows operating system with WDAC and CLM enabled.

Environment type (Please select at least one enviroment where you face this issue)

• Self-Hosted
• Microsoft Hosted
• VMSS Pool
• Container

Azure DevOps Server type

dev.azure.com (formerly visualstudio.com)

Azure DevOps Server Version (if applicable)

No response

Operation system

Win 10, Win 11, Server 2019, Server 2022

Version controll system

git

Relevant log output

ProcessInvokerWrapper] Starting process:
ProcessInvokerWrapper]   File name: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
ProcessInvokerWrapper]   Arguments: '-NoLogo -Sta -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -Command ". ([scriptblock]::Create('if ([Console]::InputEncoding -is [Text.UTF8Encoding] -and [Console]::InputEncoding.GetPreamble().Length -ne 0) { [Console]::InputEncoding = New-Object Text.UTF8Encoding $false } if (!$PSHOME) { $null = Get-Item -LiteralPath ''variable:PSHOME'' } else { Import-Module -Name ([System.IO.Path]::Combine($PSHOME, ''Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1'')) ; Import-Module -Name ([System.IO.Path]::Combine($PSHOME, ''Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1'')) }')) 2>&1 | ForEach-Object { Write-Verbose $_.Exception.Message -Verbose } ; Import-Module -Name 'C:\agent\_work\_tasks\CmdLine_d9bafed4-0b18-4f58-968d-86655b4d2ce9\2.229.0\ps_modules\VstsTaskSdk\VstsTaskSdk.psd1' -ArgumentList @{ NonInteractive = $true } -ErrorAction Stop ; $VerbosePreference = 'SilentlyContinue' ; $DebugPreference = 'SilentlyContinue' ; Invoke-VstsTaskScript -ScriptBlock ([scriptblock]::Create('. ''C:\agent\_work\_tasks\CmdLine_d9bafed4-0b18-4f58-968d-86655b4d2ce9\2.229.0\cmdline.ps1'''))"'
ProcessInvokerWrapper]   Working directory: 'C:\agent\_work\_tasks\CmdLine_d9bafed4-0b18-4f58-968d-86655b4d2ce9\2.229.0'
ProcessInvokerWrapper]   Require exit code zero: 'True'
ProcessInvokerWrapper]   Encoding web name:  ; code page: ''
ProcessInvokerWrapper]   Force kill process on cancellation: 'False'
ProcessInvokerWrapper]   Redirected STDIN: 'False'
ProcessInvokerWrapper]   Persist current code page: 'True'
ProcessInvokerWrapper]   Keep redirected STDIN open: 'False'
ProcessInvokerWrapper]   High priority process: 'False'
ProcessInvokerWrapper]   ContinueAfterCancelProcessTreeKillAttempt: 'True'
ProcessInvokerWrapper] OOM score adjustment is Linux-only.
ProcessInvokerWrapper] Process started with process id 7540, waiting for process exit.

[timbrigham-oc]

It looks like the arguments for this are call to powershell.exe are built in PowerShell3Handler.cs starting on line 49 (for the current master release), which is then used on a call to StepHone.ExecuteAsync passing this string as an argument.

I propose either writing this set of commands to disk, and making the argument passed to powershell.exe the name of the file being referenced. Ideally this created script should be signed, but as long as it exists on disk on an identifiable path it can be whitelisted for WDAC / CLM enforcement.

A better alternative would be a signed, parameterized PowerShell script that is designed to take the four arguments being passed to build this string.

[vmapetr]

Hi @timbrigham-oc, thanks for reporting!
We are working on more prioritized issues at the moment but will get back to this one soon.

[timbrigham-oc]

@vmapetr, I think we can close this ticket. I've submitted a pull request to address this issue.

[timbrigham-oc]

It's been four months since I submitted this pull request and it hasn't been merged. Needs to be in the backlog.

[github-actions]

This issue has had no activity in 180 days. Please comment if it is not actually stale

[timbrigham-oc]

Closing since merged in pull request 4917. Thanks MS team!