The security problem when use dynamic compile and run code!

Question

User1040369262 posted

I can use the following similar code dynamic compile and run c# code mode by user, some user maybe to write bad code, and some user maybe to write malignance code. If I dynamic compile and run the bad code, maybe  cuase the system down, how can I do to avoid the case? Thanks!

using System;
using System.Reflection;
using System.Globalization;
using Microsoft.CSharp;
using System.CodeDom;
using System.CodeDom.Compiler;
using System.Text;

namespace ConsoleApplication1
{
    public class Program
    {
        static void Main(string[] args)
        {
            //1.CSharpCodePrivoder
            CSharpCodeProvider objCSharpCodePrivoder = new CSharpCodeProvider();

            //2.CompilerParameters
            CompilerParameters objCompilerParameters = new CompilerParameters();
            objCompilerParameters.ReferencedAssemblies.Add("System.dll");
            objCompilerParameters.GenerateExecutable = false;
            objCompilerParameters.GenerateInMemory = true;

            //3.CompilerResults
            CompilerResults cr = objCSharpCodePrivoder.CompileAssemblyFromSource(objCompilerParameters, GenerateCode());

            if (cr.Errors.HasErrors)
            {
                foreach (CompilerError err in cr.Errors)
                {
                    Console.WriteLine(err.ErrorText);
                }
            }
            else
            {
                Assembly objAssembly = cr.CompiledAssembly;
                object objHelloWorld = objAssembly.CreateInstance("DynamicCodeGenerate.HelloWorld");
                MethodInfo objMI = objHelloWorld.GetType().GetMethod("OutPut");

                Console.WriteLine(objMI.Invoke(objHelloWorld, null));
            }

            Console.ReadLine();
        }

        static string GenerateCode()
        {
            StringBuilder sb = new StringBuilder();
            sb.Append("using System;");
            sb.Append(Environment.NewLine);
            sb.Append("namespace DynamicCodeGenerate");
            sb.Append(Environment.NewLine);
            sb.Append("{");
            sb.Append(Environment.NewLine);
            sb.Append("    public class HelloWorld");
            sb.Append(Environment.NewLine);
            sb.Append("    {");
            sb.Append(Environment.NewLine);
            sb.Append("        public string OutPut()");
            sb.Append(Environment.NewLine);
            sb.Append("        {");
            sb.Append(Environment.NewLine);
            sb.Append("             return \"Hello world  cw!\";");
            sb.Append(Environment.NewLine);
            sb.Append("        }");
            sb.Append(Environment.NewLine);
            sb.Append("    }");
            sb.Append(Environment.NewLine);
            sb.Append("}");

            string code = sb.ToString();
            // Console.WriteLine(code);
            // Console.WriteLine();

            return code;
        }
    }
}

Answer 1

User1040369262 posted

Could you help me? Thanks! 

Answer 2

User1040369262 posted

Could you help me? any suggestion for me?

Thanks 

Answer 3

User-319574463 posted

In the project properties there is a tab for security that sets code access security. Have a look at the following and see how you can assert for your dynamic code.

• http://en.wikipedia.org/wiki/Code_Access_Security
• http://www.15seconds.com/issue/040121.htm
• http://msdn.microsoft.com/en-us/library/930b76w0(VS.71).aspx
• http://www.codeproject.com/KB/security/UB_CAS_NET.aspx

Look at at inserting an assertion with a syntax along the lines of

[FileIOPermission(SecurityAction.Demand, Unrestricted=true)]
public class MyClass 
{
    public MyClass() {...}   // all these methods

    public void MyMethod_A() {...} // demands unrestricted access to 

    public void MyMethod_B() {...} // the file system

}