0

How can I run the compiled code in the current AppDomain in NET Framework 4.0? Below the code that works in net framework 3.5, but objCompilerParameters.Evidence is obsolete in NET Framework 4.0 so how to solve it?

    protected void Button1_Click(object sender, EventArgs e)
{       
    VBCodeProvider objVBCodeProvider = new VBCodeProvider();
    CompilerParameters objCompilerParameters = new CompilerParameters();
    objCompilerParameters.ReferencedAssemblies.Add("System.dll");
    objCompilerParameters.Evidence = AppDomain.CurrentDomain.Evidence;
    objCompilerParameters.CompilerOptions = string.Empty;
    objCompilerParameters.GenerateExecutable = false;
    objCompilerParameters.GenerateInMemory = false;
    objCompilerParameters.IncludeDebugInformation = false;
    objCompilerParameters.TreatWarningsAsErrors = false;
    objCompilerParameters.WarningLevel = 0;
  objCompilerParameters.ReferencedAssemblies.Add(this.GetType().Assembly.Location);    


    // source contains the code, is of type string
    CompilerResults cr = objVBCodeProvider.CompileAssemblyFromSource(objCompilerParameters,source);
    if (cr.Errors.HasErrors)
    { Console.WriteLine("Error");
        foreach (CompilerError err in cr.Errors)
        { Console.WriteLine(err.ErrorText); } }
    else
    {
        // Some things...
    }
}
Willy
  • 9,848
  • 22
  • 141
  • 284
  • MSDN (http://msdn.microsoft.com/en-us/library/ee191568%28VS.100%29.aspx#migration) contains suggestions for migrating obsolete API – ChrisWue Jan 17 '13 at 09:26
  • I have read the suggestions described there. I have not interested in using legacy policy option. I would like to migrate it but in the msdn link you provided is not enough clear. Also in Evidence property for CompilerParameters class, it is not said how to migrate, that is, how apply security permissions to the compiler in NET Framework 4.0. – Willy Jan 17 '13 at 16:24
  • The target is to apply security policy permissions to grant the compiled assembly. I do not know how to translate objCompilerParameters.Evidence = AppDomain.CurrentDomain.Evidence; into a valid (not obsolete) dot NET Framework 4.0. – Willy Jan 17 '13 at 16:43
  • possible duplicate of [Code Access Security Policy Compatibility and Migration](http://stackoverflow.com/questions/14240046/code-access-security-policy-compatibility-and-migration) – ChrisWue Jan 17 '13 at 19:42
  • 1
    Would an approach like this work for you: http://stackoverflow.com/questions/5997995/in-net-4-0-how-do-i-sandbox-an-in-memory-assembly-and-execute-a-method? Basically compile your assembly and load it into a AppDomain with the appropriate security policy? – ChrisWue Jan 17 '13 at 19:51
  • My library sounds like it does something similar? https://github.com/taspeotis/ExpressionEvaluator/blob/master/ExpressionEvaluator/Sandbox.cs and https://github.com/taspeotis/ExpressionEvaluator/blob/master/ExpressionEvaluator/ExpressionCompiler.cs might be helpful. Or they might not be :) – ta.speot.is Jan 17 '13 at 23:53

1 Answers1

0

Security policy is no longer applied to applications (Notice that the .NET Framework Configuration tool is gone in Framework 4). Applications that run on the desktop are executed in full-trust. However you can sandbox applications and run them in partial-trust.

You will have to remove references to CompilerParameters.Evidence completely.

You can use the SecurityRulesAttribute and SecurityTranparentAttribute if you don't want all code to be considered security-critical.

Read about Security-Transparency. In Framework 4 a second level was added.

Taken from the second-level transparency article:

If you do not specify any attributes, the runtime interprets all code as security-critical, except where being security-critical violates an inheritance rule (for example, when overriding or implementing a transparent virtual or interface method). In those cases, the methods are safe-critical. Specifying no attribute causes the common language runtime to determine the transparency rules for you.

What ChrisWue suggests is another alternative. Sandbox your application. For a quick intro on how to execute an assembly in a sandbox look at the example on SecurityManager.GetStandardSandbox.

PS: As far as I understand the reason they made these changes to the CAS is because it was quite complicated to use correctly. I still get confused by the RequestMinimum, RequestOptional and RequestRefuse security actions.

Panos Rontogiannis
  • 4,154
  • 1
  • 24
  • 29