Convert .resources to .Resx

[Ipadillar]

Why is the option to convert .resources to .resx unchecked? In old versions this conversion was possible, but not now.

[ElektroKill]

Hi, sorry for the rather late response.

This feature was removed due to a critical security flaw that would allow a bad actor to craft a malicious resource which could lead to arbitrary code execution when deserialized by dnSpy. This is because dnSpy uses the API's provided by Microsoft to convert .resources to .resx files. These API's are made to be used at application runtime and contain code to deserialize user types when necessary. This is there to allow programmers to use custom types of data in .resx files. However, in the context of dnSpy this allows arbitrary code execution if the resources are crafted in a malicious manner.

The only way to implement this feature would be to use custom implementations of the API's provided by Microsoft but with the custom type deserialization removed. This is definitely possible but would require quite some time commitment to implement. I will look into this more when I have more time.

[Ipadillar]

Thank you very much for the comprehensive response to my query. I didn't know the reason but now I understand it because some other decompilers also chose to include a note about it, although they still maintain it.
For me it was really useful for a long period of time, now I have to use another decompiler for this conversion.

I don't know if activating it again, with a note of the danger that its use supposes, will be the best solution if the implementation time in a secure way is very expensive.

Also thank you very much for continuing to maintain this great program which is much more than a decompiler.

[ElektroKill]

Hi, in commit 6032d58 I added back support for exporting resources to .resx files. This was done by implementing a custom implementation of ResXResourceWriter based on the one included with the runtime. This new implementation uses the dnlib resource reader and does not contain any of the serialization logic present in the original implementation. This should mean that this new writer is no longer vulnerable to arbitrary code execution.

Please let me know if this new implementation suits all your needs!

[Ipadillar]

Hello, I am very glad that you have implemented this option because it is very useful for me. There are other options for creating .resx files, but the fact that it's included in dnSpyEx makes things easier for me. Thank you so much. El dom, 5 feb 2023 a las 21:34, ElektroKill ***@***.***>) escribió:

…

Hi, in commit 6032d58 <6032d58> I added back support for exporting resources to .resx files. This was done by implementing a custom implementation of ResXResourceWriter based on the one included with the runtime. This new implementation uses the dnlib resource reader and does not contain any of the serialization logic present in the original implementation. This should mean that this new writer is no longer vulnerable to arbitrary code execution. Please let me know if this new implementation suits all your needs! — Reply to this email directly, view it on GitHub <#155 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AGXSU5SGZAASHVQTXZM2AG3WWAFELANCNFSM6AAAAAATM4PF7M> . You are receiving this because you authored the thread.Message ID: ***@***.***>