0

If I use this line of code in my asp.net app:

AppDomain.CurrentDomain.GetAssemblies().GetTypes()

Msdn GetAssemblies()

Would someone be able to create a code injection attack if they drop a dll in my bin folder? Doesn't this code dynamically load the assembly, which would allow the code to run its static constructor? Or am thinking of this the wrong way?

Erik Philips
  • 53,428
  • 11
  • 128
  • 150
Seth Micalizzi
  • 449
  • 6
  • 17
  • Only if you make the mistake of loading that DLL. Surely you *never* do something that unwise. Or expose your bin folder to downloads for that matter. – Hans Passant Apr 10 '15 at 16:12

1 Answers1

2

Would someone be able to create a code injection attack if they drop a dll in my bin folder?

Maybe, depends on what your program does.

Doesn't this code dynamically load the assembly, which would allow the code to run its static constructor?

Absolutely not. GetAssemblies():

Gets the assemblies that have been loaded into the execution context of this application domain.

It does not dynamically load the assembly, just because it's in the folder.

If you are concerned about your assemblies, then you should probably read Why use strong named assemblies?.

Community
  • 1
  • 1
Erik Philips
  • 53,428
  • 11
  • 128
  • 150
  • 1
    whats about the 'GetTypes()'? – Ewan Apr 10 '15 at 16:06
  • 1
    `GetTypes()` `Gets the types defined in this assembly.` so the assembly again, already has to be loaded, you can't call it on something that isn't already loaded into the appDomain. If someone wants to do reflection without actually executing the assembly they should use [Assembly.ReflectionOnlyLoad()](https://msdn.microsoft.com/en-us/library/system.reflection.assembly.reflectiononlyload(v=vs.110).aspx) or [Assembly.ReflectionOnlyLoadFrom()](https://msdn.microsoft.com/en-us/library/system.reflection.assembly.reflectiononlyloadfrom(v=vs.110).aspx). – Erik Philips Apr 10 '15 at 16:07
  • 1
    I noted this remark on Type.GetType(typename) "GetType causes loading of the assembly specified in typeName." and this on static constructors "The user has no control on when the static constructor is executed in the program" – Ewan Apr 10 '15 at 16:12
  • 1
    @Ewan huge differente between `GetType()` and `GetTypes()`. Since `GetType()` can load an assembly because you can fully quality the type, it's not directly possible for you to drop a dll and have someone else's code just load the dll, unless you overwrite another dll (fully qualified) and don't use Strong Named Assemblies. – Erik Philips Apr 10 '15 at 16:15
  • 1
    phew, I was worried about my shared-on-the-internet bin folder for a moment there – Ewan Apr 10 '15 at 16:22
  • Lol, that would most likely allow anyone to execute code on the machine. – Erik Philips Apr 10 '15 at 16:23