views:

770

answers:

4

I am considering parsing simple math equations by compiling from source at runtime. I have heard that there are security considerations that I should be aware of before using this approach, but I can’t find any info on this.

Thanks

C# .net 2.0, winforms

+5  A: 

The problem with this approach is that a user could enter any code they wanted (unless you sanitize it). They could put in code to erase all your files. If this is running on a server, do not do this. Also, even on a desktop, running a compiler just to evaluate an equation is really slow. Make a grammar for your equations with a tool like ANTLR, and embed the parser into your program.

Zifre
+2  A: 

Compiling is a relatively safe operation. It seems like it would only be an issue if there was an exploitable buffer overrun in the compiler. Running the resulting code is certainly a security risk though. Unless you are careful to sanitize the input you could be opening up a rather large security hole in a server application.

I'm curious why you are taking this approach. Simple math equations have a fairly strict grammar and are very easy to parse. I'm sure there are a few free libraries available and if not writing your own isn't a huge undertaking. This would probably be a lot faster than shelling out to a compiler in order to validate a math expression's syntax.

JaredPar
I have just started trying to determine which approach will fit the best. I am not decided on any direction . I had just heard of using this method and I thought it was intriguing.
Brad
For the OP's benefit - consider the well-known math functions File.Delete, Process.Start, etc ;-p
Marc Gravell
I see what you mean
Brad
+4  A: 

Some time ago I stumbled upon a clever way to do this : take advantage of the eval function of JScript. You can create a simple JScript class :

  class JsMath
  {
    static function Eval(MathExpression : String) : double
    {
      return eval(MathExpression);
    };
  }

Compile it like this :

jsc /target:library JsMath.js

Now you can just reference the JsMath library and use the JsMath.Eval method.

Thomas Levesque
+1 but you didn't mention the most important point: code run by eval runs in a restricted security context by default, thereby adressing the security concern expressed by the OP. Documentation: http://msdn.microsoft.com/en-us/library/b51a45x6(VS.80).aspx
Wim Coenen
indeed, it's also much more secure than dynamic compilation... thanks for the precision ;)
Thomas Levesque
+2  A: 

If the C# "equations" can be saved and exchanged between users, then there is certainly a security risk. A user could put malicious code in the equation, and have it do bad things on the machines of other users. Or a user could simply be tricked into entering a malicious "equation" (think of the old alt+F4 prank here).

Fortunately you can safely host untrusted code in a .NET sandbox. The general idea is that you create a separate AppDomain (with the AppDomain.CreateDomain method) that has only minimal permissions, and then load and run the user code there.

Loading dynamically generated assemblies into a separate AppDomain is a good idea anyway, because it allows you to unload them again.

Wim Coenen