search

zzzprojects / Eval-Expression.NET

C# Eval Expression | Evaluate, Compile, and Execute C# code and expression at runtime.
https://eval-expression.net/
Other
449 stars 86 forks source link

UnregisterAll to prevent access to unsafe operations #132

Closed faramos closed 2 years ago

faramos commented 2 years ago

First of all, congratulations on this impressive library. I don't know if I'm getting the purpose of UnregisterAll right, but is it the expected behavior?

var evalContext = new EvalContext();
evalContext.UnregisterAll();
//evalContext.RegisterDefaultAliasSafe();       
var resultFloat = evalContext.Execute<object>("System.IO.Directory.GetCurrentDirectory()");
Console.WriteLine(resultFloat);

Running this snippet in dotnetfiddle will ouput "/app" to the console.

JonathanMagnan commented 2 years ago

Hello @faramos ,

Thank you a lot for your good word. I still remember all months of efforts I did to create this library ;)

Using UnregisterAll doesn't prevent people from using them. They just don't have any more access anymore to some "shortcut" to members registered by default.

If you want your user to only be able to access what you have registered, you need to use: evalContext.SafeMode = true;

So this code will now return an error as you never authorized it:

var evalContext = new EvalContext();
evalContext.UnregisterAll();
evalContext.SafeMode = true;
//evalContext.RegisterDefaultAliasSafe();       
var resultFloat = evalContext.Execute<object>("System.IO.Directory.GetCurrentDirectory()");
Console.WriteLine(resultFloat);

We will never be able to guarantee that the SafeMode is 100% secure but so far, no one provided us a code that break it.

The RegisterDefaultAliasSafe allow you to register some class that we consider safe such as Array, Enum, int

Let me know if you need more information.

Best Regards,

Jon