Roslyn-IRC-Bot icon indicating copy to clipboard operation
Roslyn-IRC-Bot copied to clipboard

Published 20 hours ago verified publisher icon fekberg

Sandbox issue

Open sergey-litvinov opened this issue 11 years ago • 1 comments

Hey,

I found an issue with ScriptExecuter class. It uses reflection to load assembly in sandboxed domain. When you load Submission type from this assembly, seems that it isn't marshaled to sandbox appdomain, and then it executes it in current appdomain. Probably because Type\MemberInfo\etc are not inherites MarshalByRef class, and they are objects of current domain. So, when you execute code, it will be executed in main appdomain with full trust permissions.

sergey-litvinov avatar Nov 20 '13 17:11 sergey-litvinov

Hi Sergey,

You are most likely right about that. There is another project in my repo called Roslyn-Hosted-Execution that has a better, more secure execution class. Have a look at that and I'll pull that into this project as soon as I can.

Here's the link to the executor: https://github.com/fekberg/Roslyn-Hosted-Execution/blob/master/Rossie/Rossie.Engine/CodeExecuter.cs

Let me know if there are any problems with that too.

fekberg avatar Nov 20 '13 18:11 fekberg