0

I'm working on an application that supports running code written by users using VBCodeProvider. I would like to limit the things they can do, for example:

  • Block reflection
  • Block access to the file system from the script level (referenced assemblies should be allowed to access it)
  • Make sure they can't call any unmanaged code
  • Block direct access to the database (SQL Server), they can only use referenced data layer assembly
  • Deny access to certain methods in referenced assemblies that are part of our project

What would be the best way to approach it? What else should we think of exposing this type of functionality to the user?

DrJekyll
  • 125
  • 1
  • 8
  • This sounds like a nightmare waiting to happen. Why do you need to allow users to contribute and then execute arbitrary code like this anyway? – ADyson Apr 11 '19 at 11:42
  • @ADyson it's a highly configurable system. Scripting was implemented many years ago and works great, but up until now scripts were written by us for the client so security wasn't an issue. We want to take it a step further to make it self-service, but only "chosen" users will be able to do that. – DrJekyll Apr 11 '19 at 11:59
  • I see. Without spending ages researching into the specifics of the various areas you've mentioned, I'd suggest you need to be aiming to create some sort of sandbox-like environment where only certain defined functionality is available. A bit like some of the web-based code testing sandboxes you find for JS, PHP, .NET and so on - you'll usually find in those you can't do things like make HTTP requests, talk to databases etc because those features have been removed from the version of the language deployed on that environment. – ADyson Apr 11 '19 at 12:08
  • .NET, despite the move to Nuget in more recent years, is still a bit monolithic though (and especially if these scripts are supposed to interact with an existing application which has full access to all language features) so I don't know how straightforward it would be to remove some features. – ADyson Apr 11 '19 at 12:09

0 Answers0