WSLC: sanitize HostingProcessNameSuffix to keep vmmem process name well-formed#40471
Open
WSLC: sanitize HostingProcessNameSuffix to keep vmmem process name well-formed#40471
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates WSLC session naming to avoid embedding the caller’s username in the default session name (to prevent HCS/vmmem suffix issues and username collisions), and adds strict validation for caller-supplied session display names before they can flow into HCS.
Changes:
- Switch default session naming to fixed well-known names (
wslc-cli/wslc-cli-admin) and disambiguate per-user default sessions by comparing owner SIDs during lookup. - Add server-side validation for custom session names using an ASCII allowlist and maximum-length enforcement.
- Update unit and E2E tests to remove username-suffixed expectations and add new validation cases.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| test/windows/WSLCTests.cpp | Adds negative tests for invalid session name characters and a regression assertion about reserved-name behavior. |
| test/windows/wslc/e2e/WSLCE2ESessionEnterTests.cpp | Updates default storage path computation to no longer include username suffix. |
| test/windows/wslc/e2e/WSLCE2EHelpers.cpp | Updates helper logic to terminate default sessions using fixed well-known names. |
| test/windows/wslc/e2e/WSLCE2EGlobalTests.cpp | Updates expected default session name helpers/comments to fixed names and SID-based disambiguation. |
| src/windows/service/exe/WSLCSessionManager.h | Documents new default-name behavior and introduces IsValidSessionName. |
| src/windows/service/exe/WSLCSessionManager.cpp | Implements fixed default names, owner-SID scoping for default lookups, and display-name validation. |
| src/windows/service/exe/HcsVirtualMachine.cpp | Clarifies (via comment) that display names are validated before reaching HCS fields. |
benhillis
force-pushed
the
wslc-default-session-name
branch
from
7631ead to
36eab3e
Compare
benhillis
changed the title
OneBlue
previously approved these changes
May 8, 2026
…ll-formed The HCS HostingProcessNameSuffix becomes the vmmem-XXX process name visible in Task Manager and parsed by various tooling. When the caller's DisplayName contains spaces, unicode, or other non-ASCII characters (which can easily happen because default session names are derived from the caller's username via LookupAccountSidW), it produces a malformed process name. Fix: when assigning the suffix, replace any character outside the conservative ASCII allowlist [A-Za-z0-9._-] with '_'. Settings->DisplayName itself (used for the HCS Owner field, session lookup, etc.) is left untouched so existing session-naming behavior is unchanged. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
benhillis
force-pushed
the
wslc-default-session-name
branch
from
36eab3e to
8f1372d
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The HCS
HostingProcessNameSuffixbecomes thevmmem-XXXprocess name visible in Task Manager and parsed by various tooling.HcsVirtualMachinewas passing the caller'sSettings->DisplayNamestraight through, but for default WSLC sessions that string is built from the caller's username viaLookupAccountSidW(added in #40144 / cd05f5c). Usernames can easily contain spaces, unicode, or other characters that produce a malformed vmmem process name.Fix
Sanitize the value when it's written to
HostingProcessNameSuffix: replace any character outside the conservative ASCII allowlist[A-Za-z0-9._-]with_.Settings->DisplayNameitself is not modified — it still flows verbatim into the HCSOwnerfield, session lookup, telemetry, etc. Only the vmmem suffix gets the scrub.Scope
Intentionally minimal. This PR does not:
DisplayNameWslCoreVm.cpp, which already uses the literalc_vmOwner = L"WSL"for its suffix and so doesn't need sanitizingIf we later want to drop the username from the HCS
Ownerfield too, that's a separate change.Files
src/windows/service/exe/HcsVirtualMachine.cpp— file-localSanitizeHostingProcessNameSuffixhelper applied at the singleHostingProcessNameSuffixassignment site.Build/test status
IntelliSense-checked only. No new tests — the sanitization is a one-line string transform on a path that has no observable behavior other than the vmmem process name.