Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

ASP.NET MVC 3 Razor View Restrictions

Tags:

c#

.net

asp.net

asp.net-mvc-3

I apologize in advance for the generic nature of my question, but I was unable to find any helpful advice from people trying to do the same thing as me on the web. Let me describe my scenario:

I am providing end users/designers of a website the ability to customize their views by storing the views (using Razor) in the database. I have all of this working, but my question is the following; From a security standpoint, how can I ensure and enforce that unwanted code doesn't get executed in the user-defined view? There are two basic approaches that I think will work conceptually, but am not sure which one is more possible or feasible.

Option 1: Create a validation method in the administration tool that allows the user to input the view code. This would need to either take a whitelist or blacklist approach to what is allowable or not.

Option 2: Prevent unwanted code from being able to execute when rendering of the view occurs.

As a quick example of something that would need to be blocked, we wouldn't want to allow access to read or write files, access any data access functions, or even access configuration settings, etc. in the web.config. There will likely be a decently-sized list of things that probably shouldn't be allowable, but I'll need to sit down and try to think of as many security-related concerns as possible.

My question then is, which method would be the best bet? Also, can any direction be provided on how to go about either? I thought I might be able to make trust-level based change which would be Option 2, but couldn't find any way to make that work in a per-view based manor (the administration code is allowed to execute whatever it wants). I'm thinking Option 1 will end up being the best bet and I'll have to check for the input of certain framework functions that shouldn't be allowed. Does anyone have any experience doing anything like what I'm trying to do? ANY feedback is much appreciated!

like image 795
Matt Segedi Avatar asked Nov 13 '22 06:11

Matt Segedi

1 Answers

This would be extremely difficult.

You could run the the template through the Razor preprocessor, then use Roslyn (still in early beta) to parse the generated file and look through all method calls (or constructors) and return an error if it calls something you don't like.
I strongly recommend that you use a whitelist for that, since the .Net framework is big enough that you are bound to overlook something in a blacklist.

However, I would instead recommend that you not use Razor at all and instead use a templating engine that does not allow real C# code.

like image 92
SLaks Avatar answered Nov 16 '22 04:11

SLaks
Sign in to Comment

Related questions

How does a TransactionScope implementation work? What database support is required?
Use C# properties in unmanaged C++ code
TSQL Functions used in stored procedure force column to readonly
Adding comments with the Youtube API randomly failing in .NET
Problems deploying asp.net web application
How can request the locks and deadlocks of a thread at runtime with C#?
Read last line of STDOUT
Track release of com object c#.
Receive audio byte arrays with HTML5 Audio API?
Manipulating WCF header details
How does mouse position translate to a scrolled control?
Collection modify item
Which compression type should i choose in SharpZipLib?
How to serialize a delegate
The term ' ' is not recognized as the name of a cmdlet,
How to capture Print event in Outlook Add-in?
Improve performance of obtaining MethodInfo from MethodCallExpression
Can I reprint a spool file?
Is this a bad practice in overloading a method?
C# is there a foreach oneliner available?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!