We recommend using Visual Studio 2017

Security Warning Dialog Box (MSBuild Project File) 

In Visual Studio 2005, it is possible to customize an MSBuild project file to redefine the build process. Portions of the build process defined in the project file are executed at design-time immediately after a project is loaded in the integrated development environment (IDE). This dialog box detects customized project files that coud present security risks and allows you to choose how the IDE should open the project.

UI Elements

More Details

Opens a dialog box that explains why the project file was determined to be a potential security risk.

Load project for browsing

Opens the project in the IDE with increased security. This option allows you to browse the contents of the project, but some functionality, such as IntelliSense, is restricted. When a project is loaded for browsing, actions such as building, cleaning, publishing, or opening designers could still remain unsafe.

Load project normally

Opens the project normally in the IDE. Use this option if you trust the source and understand the potential risks involved. The IDE does not restrict any project functionality and will not prompt you again for this project.

Ask me for every project in this solution

Select this option to be prompted for every project in the solution.

Determining Unsafe Project Files

There are several reasons why a project file is determined to be a potential security risk. These reasons are:

  • The project file contains one or more non-standard Import elements.

  • The project file overrides one or more potentially unsafe targets. For more information on targets, see MSBuild Targets.

  • The project file overrides one or more potentially unsafe properties. For more information on properties, see MSBuild Properties.

  • The project file defines one or more potentially unsafe items. For more information on items, see MSBuild Items.

  • The project file contains one or more UsingTask elements.

  • Project items are located in a potentially unsafe location.

Non-standard Import Elements

A list of standard .targets files is stored in the registry at HKEY_LOCALMACHINE\Software\Microsoft\VisualStudio\8.0\MSBuild\SafeImports. If a project file imports a .targets file that is not stored in the registry, it is determined to be a potential security risk.

Potentially Dangerous Targets

The IDE runs several targets while loading a project. If one of these targets has been overridden in a custom project file, it is recognized as a potential security risk. The targets that the IDE runs while loading a project include:

  • Compile

  • GetFrameworkPaths

  • AllProjectOutputGroupsDependencies

  • AllProjectOutputGroups

  • CopyRunEnvironmentFiles

  • ResolveComReferences

  • ResolveAssemblyReferences

  • ResolveNativeReferences

Potentially Dangerous Properties

The following list explains the basic types of potentially dangerous properties.

  • Properties used in the DependsOn attribute of potentially dangerous targets.

  • Properties used in the Project attributes of Import elements used in safe .targets files.

  • Properties used by potentially dangerous targets or their tasks.

  • Properties that begin with an underscore (_).

  • There are also special properties used by the IDE to manage potentially dangerous targets, items, and properties. These properties cannot be overridden in a project file. The special properties are:

  • LoadTimeSensitiveTargets

  • LoadTimeSensitiveProperties

  • LoadTimeSensitiveItems

  • LoadTimeCheckItemLocation

Potentially Dangerous Items

Certain items used by imported .targets files cannot be overridden in a project file. If one or more of these items are overridden, the project is considered a potential security risk.

UsingTask Elements

A custom task can run potentially unsafe code. Therefore, all project files containing one or more UsingTask elements are considered a potential security risk.

Project Items in Potentially Dangerous Locations

Some items in otherwise safe .targets files set their paths based on user-defined project properties. In order to prevent an item from overwriting an important file, project files that contain item paths that evaluate to one of the following locations or any subdirectories of these locations are considered potential security risks unless they are also located in or below the solution file or project file directory.

  • The root directory of any drive.

  • The Windows directory (for example, C:\Windows).

  • The Program Files directory (for example, C:\Program Files)

See Also