9

Is there a way to sandbox execution of a script such that it a) Can't do anything "dangerous" and b) it can access any files it wants to so long as the file is within the same directory as the script file itself. Kind-of as-if it were to treat all file-paths as relative.

I guess I'm asking about Roslyn's scripting security measures and their level of customization.

RoyalPotato
  • 515
  • 4
  • 15
  • 1
    Roslyn will not help you with that at all. – SLaks Mar 20 '16 at 01:16
  • Roslyn has absolutely no security when executing scripts? That's even worse than faking scripting with codedom. – RoyalPotato Mar 20 '16 at 02:33
  • 1
    Securely allowing arbitrary code is an _extremely_ hard problem. Roslyn does not try to address that; you should not run untrusted scripts. – SLaks Mar 20 '16 at 02:35
  • In fact, if you also want to protect the secrecy of other data on the same computer, it's basically impossible. – SLaks Mar 20 '16 at 02:36
  • Well, in the "design" stage of a game-engine/framework, was hoping to allow scripting support with the help of roslyn. These "scripts" wouldn't have access to any kind of networking, and limited file access. So if they were to get "sensitive" data, they wouldn't be able to do anything with it. – RoyalPotato Mar 20 '16 at 02:39
  • Looks like I'm going to have to write my own scripting language, now though. – RoyalPotato Mar 20 '16 at 02:40
  • You could write a symbol visitor that looks for all calls to dangerous methods, but .Net has many ways to do dangerous things. You would need a whitelist that completely excludes reflection, filesystem, and most other things. – SLaks Mar 20 '16 at 02:44
  • 1
    Yeah, I was hoping there would be an easy way to "secure" things. Because .Net could make quite the powerful scripting engine for a game. Looks like I'll have to find a different route, thanks for the advices! – RoyalPotato Mar 20 '16 at 02:46
  • Hi @RoyalPotato - what did you do in the end? – Dirk Boer Feb 08 '21 at 21:30

1 Answers1

1

This is possible, but as SLaks says, it is a hard problem. You should probably read In .NET 4.0, how do I 'sandbox' an in-memory assembly and execute a method?. You would need the following steps

  • Use a CSharpCodeProvider or VBCodeProvider to compile the source to an assembly on the harddrive.
  • Create a new AppDomain granting it only those permissions you would like it to have.
  • Use MarshalByRefObject's to communicate back and forth between your original AppDomain and the child AppDomain you've just created. See this and this.
Community
  • 1
  • 1
Bert Cushman
  • 771
  • 2
  • 8
  • 27
  • 1
    A: I was hoping to avoid System.CodeDom. B: I was also hoping to avoid creating another appdomain. C: I require greater control over script permissions than this would allow. For example, I'm OK with scripts playing with file-IO, but only if I can force all file-io activities to work out of directories relative to my app's .exe (yes, even if they try to specify an absolute directory). I knew these goals were longshots though, to be honest. – RoyalPotato Jun 18 '16 at 17:14
  • AFAIK, this is not possibly anymore with DotNetCore. – cskwg Mar 10 '23 at 07:00