Skip to content

docs: Add untrusted data security warnings to System.Speech APIs #12149

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
pranav-gupta-msft merged 1 commit into from
Dec 17, 2025
Merged

docs: Add untrusted data security warnings to System.Speech APIs #12149

pranav-gupta-msft merged 1 commit into from
Dec 17, 2025

Conversation

@pranav-gupta-msft
Copy link
Contributor

@pranav-gupta-msft pranav-gupta-msft commented Dec 16, 2025

Add untrusted-data-instance-note to APIs that handle external XML/SRGS/SSML/audio files to warn developers about security risks when processing untrusted data.

Changes:

  • SrgsDocument: Added class-level warning and warnings to constructors that accept file paths and XmlReader
  • Grammar: Added warnings to constructors that accept file paths and streams
  • PromptBuilder: Added warnings to AppendSsml(XmlReader) and AppendAudio(string) methods
  • GrammarBuilder: Added warnings to AppendRuleReference methods that accept file paths

These APIs can load and parse external files which may contain corrupted or malicious content. The warnings direct developers to validate all inputs per OWASP guidelines.

Summary

Describe your changes here.

Fixes #Issue_Number (if available)

@pragupta-ms
docs: Add untrusted data security warnings to System.Speech APIs
f72213b 
Add untrusted-data-instance-note to APIs that handle external XML/SRGS/SSML/audio files to warn developers about security risks when processing untrusted data.

Changes:
- SrgsDocument: Added class-level warning and warnings to constructors that accept file paths and XmlReader
- Grammar: Added warnings to constructors that accept file paths and streams
- PromptBuilder: Added warnings to AppendSsml(XmlReader) and AppendAudio(string) methods
- GrammarBuilder: Added warnings to AppendRuleReference methods that accept file paths

These APIs can load and parse external files which may contain corrupted or malicious content. The warnings direct developers to validate all inputs per OWASP guidelines.
@pranav-gupta-msft pranav-gupta-msft requested a review from a team as a code owner December 16, 2025 05:43
Copilot AI review requested due to automatic review settings December 16, 2025 05:43
@github-actions github-actions bot added the needs-area-label An area label is needed to ensure this gets routed to the appropriate area owners label Dec 16, 2025
@pranav-gupta-msft
Copy link
Contributor Author

pranav-gupta-msft commented Dec 16, 2025

@dotnet-policy-service agree company="Microsoft"

Copilot AI reviewed Dec 16, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds security warnings to System.Speech APIs that handle external data sources (XML, SRGS, SSML, and audio files) to alert developers about potential security risks when processing untrusted data.

Key changes:

  • Added untrusted-data-instance-note include directives to constructors and methods that accept file paths, streams, or XmlReader objects
  • Applied warnings consistently across four XML documentation files covering speech recognition and synthesis APIs
  • Class-level and method-level warnings added to ensure comprehensive security guidance

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File Description
xml/System.Speech.Synthesis/PromptBuilder.xml Added security warnings to AppendAudio(string) and AppendSsml(XmlReader) methods
xml/System.Speech.Recognition/GrammarBuilder.xml Added security warnings to both AppendRuleReference method overloads that accept file paths
xml/System.Speech.Recognition/Grammar.xml Added security warnings to four constructors that accept file paths or streams
xml/System.Speech.Recognition.SrgsGrammar/SrgsDocument.xml Added class-level security warning and warnings to constructors that accept file paths or XmlReader

@GrabYourPitchforks
Copy link
Member

GrabYourPitchforks commented Dec 16, 2025

Followup PR to #12058, which added the warning to specific APIs but didn't consistently add the warning at the class level. This moves the warnings to top-level.

@pranav-gupta-msft pranav-gupta-msft merged commit a1ac477 into main Dec 17, 2025
13 checks passed
@pranav-gupta-msft pranav-gupta-msft deleted the users/pragupta/fixingSpeechDocumentation branch December 17, 2025 03:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@GrabYourPitchforks GrabYourPitchforks GrabYourPitchforks approved these changes

@gewarren gewarren gewarren approved these changes

Assignees

@pranav-gupta-msft pranav-gupta-msft

Labels

needs-area-label An area label is needed to ensure this gets routed to the appropriate area owners

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@pranav-gupta-msft @GrabYourPitchforks @gewarren @pragupta-ms