How vulnerable is running untrusted code with limiting references using AssemblyLoadContext in C# .NET Core

Question

I am trying to run untrusted codes uploaded by user in my server. My users want to write simple functions to be executed on server like this:

public class HelloWorldPlugin
{
    public string GetResult(string input)
    {
        //return System.IO.Directory.GetCurrentDirectory();
        return "Hello " + input;
    }
}

Update: I am not allowed to use docker or similar isolated solution due to their resource requirements.

The steps are:

• Defining allowed assemblies and types

• Compiling user codes

• Loading compiled assembly in separate AssemblyLoadContext

• Executing user function

• Disposing resources

I have simplified my code as below:

public class PluginLoader : IDisposable
{
    private AssemblyLoadContext assemblyLoadContext;
    private Assembly assembly;
    private byte[] bytes;

    public void Load(string id, string code, IEnumerable<string> allowedAssemblyNames, IEnumerable<Type> allowedTypes)
    {
        var _references = new List<MetadataReference>();
        foreach (var assemblyName in allowedAssemblyNames)
        {
            _references.Add(MetadataReference.CreateFromFile(RuntimeEnvironment.GetRuntimeDirectory() + assemblyName + ".dll"));
        }

        foreach (var type in allowedTypes)
        {
            _references.Add(MetadataReference.CreateFromFile(type.Assembly.Location));
        }

        var options = new CSharpCompilationOptions(
            OutputKind.DynamicallyLinkedLibrary,
            reportSuppressedDiagnostics: true,
            optimizationLevel: OptimizationLevel.Release,
            generalDiagnosticOption: ReportDiagnostic.Error,
            allowUnsafe: false);

        var syntaxTree = CSharpSyntaxTree.ParseText(code, options: new CSharpParseOptions(LanguageVersion.Latest, kind: SourceCodeKind.Regular));
        var compilation = CSharpCompilation.Create(id, new[] { syntaxTree }, _references, options);

        assemblyLoadContext = new AssemblyLoadContext(id, true);

        using (var ms = new MemoryStream())
        {
            var result = compilation.Emit(ms);
            if (result.Success)
            {
                ms.Seek(0, SeekOrigin.Begin);
                bytes = ms.ToArray();
                ms.Seek(0, SeekOrigin.Begin);
                assembly = assemblyLoadContext.LoadFromStream(ms);
            }
        }

    }

    [MethodImpl(MethodImplOptions.NoInlining)]
    public string Run(string typeName, string methodName, string input)
    {
        var instance = assembly.CreateInstance(typeName);
        MethodInfo theMethod = instance.GetType().GetMethod(methodName);
        return (string) theMethod.Invoke(instance, new[] { input });
    }

    public void Dispose()
    {
        assemblyLoadContext.Unload();
        assemblyLoadContext = null;
        bytes = null;
        assembly = null;
    }
}

And the test code is:

    var allowedAssemblies = new[] { "System", "System.Linq", "System.Linq.Expressions" };
    var allowedTypes = new Type[] { typeof(object) };
    string result;

    using (var loader = new PluginLoader())
    {
        loader.Load("MyCustomPlugin", code, allowedAssemblies, allowedTypes);
        result= loader.Run("HelloWorldPlugin", "GetResult", "World!");
    }

    Console.WriteLine(result);
    Console.ReadLine();

I know that user may have access to IO, network, ... which are huge threats. I tried to use System.IO.Directory.GetCurrentDirectory(): since I have not added the System.IO assembly to allowedAssemblies it raises exception in compiling section. I have also tried to get current user identity and a few basic works with reflection and all of them raise exception.

If I limit allowed references prior to compile, how a user can execute a dangerous code to access the resources? What are the threats except continuous loop execution (while True loop)?