locked
The security problem when use dynamic compile and run code! RRS feed

  • Question

  • User1040369262 posted

    I can use the following similar code dynamic compile and run c# code mode by user, some user maybe to write bad code, and some user maybe to write malignance code. If I dynamic compile and run the bad code, maybe  cuase the system down, how can I do to avoid the case? Thanks!


    using System;
    using System.Reflection;
    using System.Globalization;
    using Microsoft.CSharp;
    using System.CodeDom;
    using System.CodeDom.Compiler;
    using System.Text;

    namespace ConsoleApplication1
    {
        public class Program
        {
            static void Main(string[] args)
            {
                //1.CSharpCodePrivoder
                CSharpCodeProvider objCSharpCodePrivoder = new CSharpCodeProvider();

                //2.CompilerParameters
                CompilerParameters objCompilerParameters = new CompilerParameters();
                objCompilerParameters.ReferencedAssemblies.Add("System.dll");
                objCompilerParameters.GenerateExecutable = false;
                objCompilerParameters.GenerateInMemory = true;

                //3.CompilerResults
                CompilerResults cr = objCSharpCodePrivoder.CompileAssemblyFromSource(objCompilerParameters, GenerateCode());

                if (cr.Errors.HasErrors)
                {
                    foreach (CompilerError err in cr.Errors)
                    {
                        Console.WriteLine(err.ErrorText);
                    }
                }
                else
                {
                    Assembly objAssembly = cr.CompiledAssembly;
                    object objHelloWorld = objAssembly.CreateInstance("DynamicCodeGenerate.HelloWorld");
                    MethodInfo objMI = objHelloWorld.GetType().GetMethod("OutPut");

                    Console.WriteLine(objMI.Invoke(objHelloWorld, null));
                }

                Console.ReadLine();
            }

            static string GenerateCode()
            {
                StringBuilder sb = new StringBuilder();
                sb.Append("using System;");
                sb.Append(Environment.NewLine);
                sb.Append("namespace DynamicCodeGenerate");
                sb.Append(Environment.NewLine);
                sb.Append("{");
                sb.Append(Environment.NewLine);
                sb.Append("    public class HelloWorld");
                sb.Append(Environment.NewLine);
                sb.Append("    {");
                sb.Append(Environment.NewLine);
                sb.Append("        public string OutPut()");
                sb.Append(Environment.NewLine);
                sb.Append("        {");
                sb.Append(Environment.NewLine);
                sb.Append("             return \"Hello world  cw!\";");
                sb.Append(Environment.NewLine);
                sb.Append("        }");
                sb.Append(Environment.NewLine);
                sb.Append("    }");
                sb.Append(Environment.NewLine);
                sb.Append("}");

                string code = sb.ToString();
                // Console.WriteLine(code);
                // Console.WriteLine();

                return code;
            }
        }
    }

    Tuesday, February 9, 2010 8:10 AM

All replies