Reputation: 15799
Is it safe to execute user entered expressions as IronPython
I'm working on a large ASP.NET software product. We'd like to allow users to enter expressions rather than constants for certain fields. Typically something like:
(Price * 1.175) + 25
The obvious solution seems to be to embed IronPython, create a Scope, pass in the "Price" (and other) variables and then execute the above as IronPython code.
However, there would be nothing stopping users from entering:
1 / 0
or
def func1():
func1()
func1()
or
import System.IO
File.Delete(....)
But if I catch all exceptions and run the IronPython code in an Application Domain with the Internet permission set, am I safe?
Upvotes: 2
Views: 165
Answers (2)
Reputation: 7134
In a similar situation I opted for server side JScript. To add another layer of protection I am wrapping the expression in a function and then execute the function:
function generated123(p1, p2, p3) {
return
// user code goes here
;
}
This way the user cannot force importing anything dangerous. Also server side JScript is compiled which is good for perforamnce
Upvotes: 0
Reputation: 7211
You answer your own question by noting that there is nothing to stop the user from entering valid code. Never trust user input. Ever.
Upvotes: 4
Related Questions
- IronPython - Editor for end-user
- Is it possible run python in .NET application?
- Embedded IronPython Security
- .NET DLR safe or sandboxed script
- IronPython scripts execution from C# code
- Eval IronPython Scripts during ASP.NET Web Request; Static Engine or Not
- Running DLR Embedded Scripts in Minimum Security Context
- web programming technique, is this a major security risk?
- IronPython and ASP.NET
- What's the best way to embed IronPython inside my C# App?