How to securely embed the F# compiler in a asp.net web app

Question

I am developing a asp.net web app enabling users to submit F# code, which should be dynamically compiled and executed on the server. I was thinking of either hosting the F# compiler in the web app using the approach shown here: https://fsharp.github.io/FSharp.Compiler.Service/compiler.html Or use F# interactive: http://fsharp.github.io/FSharp.Compiler.Service/interactive.html

The idea would be to dynamically compile the F# code and then load it as an assembly in c# or have F# interactive interpret the code. However, my main concern is security and how to stop the end user from executing arbitrary code. Is there an easy way to restrict this? Thanks!

Answer 1

This is an old question and things have considerably changed since it was asked. Now the Fable team have managed to run the F# compiler inside of a web-worker, removing the need to execute code on the server-side. This side-steps all of the security concerns around executing untrusted code.

• You can try out the REPL here.
• You can view the source-code here.