Firstly can I just clarify that I am aware that the code outlined below is bad. Can I also reassure you that this is not for a real life product.
I have a VB.NET application which receives a string of math from the user, this string then has all the full stops removed and is then iserted into the middle of a resource string.
Together these strings form some VB.NET source code which is then compiled using a VBCodeProvider and called:
Dim compilerParameters As New System.CodeDom.Compiler.CompilerParameters With
{.GenerateExecutable = False,
.GenerateInMemory = True}
compilerParameters.ReferencedAssemblies.Add(System.Windows.Forms.Application.ExecutablePath)
Dim assemblyInstance = (New Microsoft.VisualBasic.VBCodeProvider).CompileAssemblyFromSource(compilerParameters, code).CompiledAssembly.CreateInstance("FunctionMadeFromUserInput")
assemblyInstance.GetType.GetMethod("Evaluate").Invoke(assemblyInstance, {Input})
I would like your advice on ways to prevent user injection of malicious code, my specific efforts so far have been:
- The only reference in the compiled assembly is to the current application (no reference to System etc.)
- The users input is stripped of '.'s before compilation
While doing research to try to answer this question I have come across the System.CodeDom.Compiler.CompilerParameters.Evidence property however in .NET 4 this is deprecated. Then I discovered the idea of placing various <Assembly: System.Security...> attributes in the resource string however I am unable to work out which attributes will reduce the attack surface most effectively.
I am interested in preventing the user entered code from accessing disk and network IO and as many other potentially harmful things you can protect against.
Final disclaimer: I know this is not the best method of evaluating math, the math is not what I'm interested in. I am interested in ways of making execution of user input marginally less abominable.
Aucun commentaire:
Enregistrer un commentaire