1

I'm working on some kind of plugin architecture where people can submit small pieces of C# code themselves and it will execute every hour on Azure.

Is this secure or can they easily compromise your whole Azure environment? Any other workarounds?

I was thinking about using IronPython - I guess it is simpeler to make hard boundaries there, but I actually prefer to use c#.

Update

Just to be clear: I am mainly concerned about security not about Azure cost. This will be something like a reserved instance or at least something where cost is limited.

The risk of someone uploading a bitcoin miner and me finding out after two days is something I can live with.

What I can't live is this person actually getting access to all kind of Azure related stuff like credentials etc.

Dirk Boer
  • 8,522
  • 13
  • 63
  • 111
  • 2
    It is not safe. At best you will be DDoS ed, at worst - become someone else bitcoin miner and receive paycheck for couple of thousand bucks. Though, if you open access only for specific group of people at your company - it is ok, if audit their actions. – eocron Feb 08 '21 at 21:12
  • See https://stackoverflow.com/questions/36107551/roslyn-c-sharp-scripting-sandbox – Ian Mercer Feb 08 '21 at 21:15
  • Hi @eocron, it would be a reserved instance - so cost would be limited. This is a non critical process, so the cost of someone uploading a miner would and finding it out after a day and removing + blocking this user is not a problem. I talking more about security. – Dirk Boer Feb 08 '21 at 21:32
  • Hi @IanMercer, thanks for your answer! This is more related to Azure specifically. – Dirk Boer Feb 08 '21 at 21:34
  • `Any other workarounds?` Give each customer their own sandbox to play in. They can compromise it if they want, but if they are the only one there... – mjwills Feb 08 '21 at 21:56

1 Answers1

2

It has access to everything you gave the Azure function access to: it can read all the environment variables, connection strings etc.; it may get database or key-vault access through them and learn other secrets; it may have a managed identity that gives it other capabilities; it may have access past firewalls that would otherwise have blocked it as a result of being on a trusted Azure IP; ... etc.

Now most of these things should have been disallowed by the configuration but you would be relying on all future changes to your function app environment by any developer or devops person to ensure they aren't exposing anything to it.

It could also hammer external services you rely on and get you blocked by rate limits.

Bottom line: it's not a good idea.

Ian Mercer
  • 38,490
  • 8
  • 97
  • 133
  • Additionaly, I would like to add to this answer - it is actually paid job to find out backdoors in such systems. So, stackoverflow probably not best place to find answer to security penetration problems. If viruses can be injected under root rights on simple systems simply by rearranging stack before fatal errors, what stopping them to do this in cloud? – eocron Feb 09 '21 at 08:04