Open sl0burn opened 3 years ago
LambdaParser doesn't produce SQL code -- so I'm not sure why you mentioned "sql injection attacks". Note that LambdaParser is not suitable for parsing expressions that may be directly used with, say, EntityFramework.
LambdaParser is often used to evaluate user-defined expressions, and it is designed to have a 'safe' evaluation context in meaning that expression can use only 'context' objects and cannot access any APIs beyond this context (= so you can control what objects and their methods/properties could be used in the expression). In particular, it is not possible to call static/extension methods; weak point could be possibility to call Object.GetType()
(and potentially use a reflection for the context's object) but it's easy to add an option to prohibit usage of "GetType" method.
Not an issue but a question - company I work for is interested in using the library but wants to know what security constraints are imposed within the parser context. Specifically things that help avoid equivalent of sql injection attacks.