2

I'm looking into implementing a system wherein users are able to pass scripts to our server and have them executed. Thankfully there are plenty of resources for Embedding Python into C#. However I am mostly worried about users passing scripts that access system functions and cause undesirable or even malicious results. Main example being: Writing to files on the server unrestricted.

I've been searching for a good way to completely limit a script's access to strictly just the framework classes that we offer clients but most of the hits that I find are basically "here's how you embed a script interpreter in C#" but never mentions any safety concerns like limiting access. Admittedly I could do an initial pass over the script and search for any blacklisted code but there is always the chance to miss something.

There's no requirement about which language gets executed, preferably something that can be compiled ahead of time. The server will be running C# to answer requests and delegating some to the user created code. I'm just having trouble finding any method with any language that limits access from user made code.

Community
  • 1
  • 1
Muuski
  • 198
  • 1
  • 10
  • Check out [FLEE](http://flee.codeplex.com/) or [NCalc](http://ncalc.codeplex.com/). Both should let you restrict users to permitted types and allow you to expose/create specialized (secure) method wrappers as needed. EDIT: Although these are focused on single expressions (you can make some pretty complex expressions though) perhaps they'll be sufficient for what is needed. – Chris Sinclair Mar 03 '13 at 19:59

1 Answers1

2

I highly recommend that you use Lua, which is intended for exactly this sort of thing. Every function, whether user-written or built-in, is an entry in a table, so the capabilities of a script can be restricted very easily. Removing the io table, for example, is an easy way to prevent malicious file system changes.

Borodin
  • 126,100
  • 9
  • 70
  • 144
  • It sounds like you're talking about something like [Remove functions from os library](http://stackoverflow.com/questions/10108933/how-to-remove-particular-functions-from-os-library-without-editing-the-lua-heade) which sounds like exactly what I'm looking for. I'll check it out tomorrow and check mark your answer if everything works out. Thanks. – Muuski Mar 04 '13 at 11:03
  • The global environment (symbol table) of any embedded Lua script is under the complete control of the C code that calls that script. The script cannot access anything that doesn't appear in this table, and because it is a Lua table like any other it is simple to remove undesirable elements. Standard Lua libraries are accessed through subtables of the environment, so just deleting the `io` element prevents access to any I/O functions while leaving the harmless `math` and `string` etc. libraries available. – Borodin Mar 04 '13 at 11:34