473,725 Members | 2,053 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

dynamic reflection from xml file security

TS
i have code that creates assemblies and classes from the assemlby and
methods from the classes to set properties of dynamically created controls.

How i should go about validating the assemblies, classes, & properties
declared in the xml file?

Thanks
Jan 9 '06 #1
9 1604
TS,

Can you be more specific with what you mean by validating? How are
these things declared in the XML file?

If you are creating an assembly, then you are using the reflection
api's, or you are generating C# code and compiling on the fly. Either, way,
you should get an error if the code is not valid.

Can you provide more information?
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard. caspershouse.co m

"TS" <ma**********@n ospam.nospam> wrote in message
news:e4******** ******@TK2MSFTN GP11.phx.gbl...
i have code that creates assemblies and classes from the assemlby and
methods from the classes to set properties of dynamically created controls.

How i should go about validating the assemblies, classes, & properties
declared in the xml file?

Thanks

Jan 9 '06 #2
TS
controlAssembly TypeName="XXX.X XXXX.Web"
controlTypeName ="XXX.XXXXX.Web .Controls.Stand ardCriteria"

And then there are xml sub elements listing all the properties to set on the
standard criteria class

I am using the following method to find the assembly based on the name
declared in xml file and using it to instantiate the class declared in
controlTypeName :

private Assembly GetAssembly(str ing assemblyTypeNam e){

foreach(Assembl y assembly in AppDomain.Curre ntDomain.GetAss emblies()){

if(assembly.Get Name().Name == assemblyTypeNam e)
return assembly;
}

return null;

}

This could let them find a System assembly

Later to create the class instance i do the following:

// Use reflection to create control
control = (Control) assembly.Create Instance(contro lTypeName);

"Nicholas Paldino [.NET/C# MVP]" <mv*@spam.guard .caspershouse.c om> wrote in
message news:O7******** ******@TK2MSFTN GP14.phx.gbl...
TS,

Can you be more specific with what you mean by validating? How are
these things declared in the XML file?

If you are creating an assembly, then you are using the reflection
api's, or you are generating C# code and compiling on the fly. Either,
way, you should get an error if the code is not valid.

Can you provide more information?
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard. caspershouse.co m

"TS" <ma**********@n ospam.nospam> wrote in message
news:e4******** ******@TK2MSFTN GP11.phx.gbl...
i have code that creates assemblies and classes from the assemlby and
methods from the classes to set properties of dynamically created
controls.

How i should go about validating the assemblies, classes, & properties
declared in the xml file?

Thanks


Jan 9 '06 #3
TS,

Ok, I kind of understand what you are doing now.

In order to load the assembly, you don't have to check the assemblies in
the current domain. Rather, you should just call one of the Load methods in
the Assembly class. If the assembly is loaded already, then it will return
that. If not, it will load the assembly.

To get the type, call the GetType method on the Assembly instance that
you loaded.

Then, you call CreateInstance on the Activator class to create the
instance.

From there, you can call GetProperty on the Type to get the property,
and then call the SetValue method on the PropertyInfo returned from the call
to GetProperty to set the value (passing in your instance returned from
CreateInstance) .
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard. caspershouse.co m

"TS" <ma**********@n ospam.nospam> wrote in message
news:e5******** ********@TK2MSF TNGP11.phx.gbl. ..
controlAssembly TypeName="XXX.X XXXX.Web"
controlTypeName ="XXX.XXXXX.Web .Controls.Stand ardCriteria"

And then there are xml sub elements listing all the properties to set on
the standard criteria class

I am using the following method to find the assembly based on the name
declared in xml file and using it to instantiate the class declared in
controlTypeName :

private Assembly GetAssembly(str ing assemblyTypeNam e){

foreach(Assembl y assembly in AppDomain.Curre ntDomain.GetAss emblies()){

if(assembly.Get Name().Name == assemblyTypeNam e)
return assembly;
}

return null;

}

This could let them find a System assembly

Later to create the class instance i do the following:

// Use reflection to create control
control = (Control) assembly.Create Instance(contro lTypeName);

"Nicholas Paldino [.NET/C# MVP]" <mv*@spam.guard .caspershouse.c om> wrote
in message news:O7******** ******@TK2MSFTN GP14.phx.gbl...
TS,

Can you be more specific with what you mean by validating? How are
these things declared in the XML file?

If you are creating an assembly, then you are using the reflection
api's, or you are generating C# code and compiling on the fly. Either,
way, you should get an error if the code is not valid.

Can you provide more information?
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard. caspershouse.co m

"TS" <ma**********@n ospam.nospam> wrote in message
news:e4******** ******@TK2MSFTN GP11.phx.gbl...
i have code that creates assemblies and classes from the assemlby and
methods from the classes to set properties of dynamically created
controls.

How i should go about validating the assemblies, classes, & properties
declared in the xml file?

Thanks



Jan 10 '06 #4
TS
Ok, i have it working now, but your way is probably better...but what about
validating the assembly and class entered in the xml file...in case the xml
file was hijacked and they maybe used a system assembly and tried to execute
system commands, etc. How do i lock down this type of interface?

thanks

"Nicholas Paldino [.NET/C# MVP]" <mv*@spam.guard .caspershouse.c om> wrote in
message news:eN******** ******@TK2MSFTN GP10.phx.gbl...
TS,

Ok, I kind of understand what you are doing now.

In order to load the assembly, you don't have to check the assemblies
in the current domain. Rather, you should just call one of the Load
methods in the Assembly class. If the assembly is loaded already, then it
will return that. If not, it will load the assembly.

To get the type, call the GetType method on the Assembly instance that
you loaded.

Then, you call CreateInstance on the Activator class to create the
instance.

From there, you can call GetProperty on the Type to get the property,
and then call the SetValue method on the PropertyInfo returned from the
call to GetProperty to set the value (passing in your instance returned
from CreateInstance) .
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard. caspershouse.co m

"TS" <ma**********@n ospam.nospam> wrote in message
news:e5******** ********@TK2MSF TNGP11.phx.gbl. ..
controlAssembly TypeName="XXX.X XXXX.Web"
controlTypeName ="XXX.XXXXX.Web .Controls.Stand ardCriteria"

And then there are xml sub elements listing all the properties to set on
the standard criteria class

I am using the following method to find the assembly based on the name
declared in xml file and using it to instantiate the class declared in
controlTypeName :

private Assembly GetAssembly(str ing assemblyTypeNam e){

foreach(Assembl y assembly in AppDomain.Curre ntDomain.GetAss emblies()){

if(assembly.Get Name().Name == assemblyTypeNam e)
return assembly;
}

return null;

}

This could let them find a System assembly

Later to create the class instance i do the following:

// Use reflection to create control
control = (Control) assembly.Create Instance(contro lTypeName);

"Nicholas Paldino [.NET/C# MVP]" <mv*@spam.guard .caspershouse.c om> wrote
in message news:O7******** ******@TK2MSFTN GP14.phx.gbl...
TS,

Can you be more specific with what you mean by validating? How are
these things declared in the XML file?

If you are creating an assembly, then you are using the reflection
api's, or you are generating C# code and compiling on the fly. Either,
way, you should get an error if the code is not valid.

Can you provide more information?
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard. caspershouse.co m

"TS" <ma**********@n ospam.nospam> wrote in message
news:e4******** ******@TK2MSFTN GP11.phx.gbl...
i have code that creates assemblies and classes from the assemlby and
methods from the classes to set properties of dynamically created
controls.

How i should go about validating the assemblies, classes, & properties
declared in the xml file?

Thanks



Jan 10 '06 #5
Hi TS,

What do you mean by executing a system command? If the assembly is comming
from an untrusted source, I suggest you create a code group and not giving
the assembly full permission for executing.

Kevin Yu
=======
"This posting is provided "AS IS" with no warranties, and confers no
rights."

Jan 12 '06 #6
TS
>If the assembly is comming
from an untrusted source, I suggest you create a code group and not giving
the assembly full permission for executing. The only assemblies would be framework assemblies
What do you mean by executing a system command? I mean is there any class in the .net framework that by ONLY instantiating
it and optionally setting some of its properties would could cause a
security risk or other ill effects?

See, i am allowing server controls to be instantiated by supplying its name
and assembly name for the sole purpose of dynamically putting it on a web
page as well as setting properties of that control thru the xml. Methods of
the control are not envoked, on thing supplied to option to set properties
of this control.

I want to make sure i don't have a security risk in my xml file that could
get hijacked on the server and be manipulated in some way to do harm or
other issues to a production box.

thanks

"Kevin Yu [MSFT]" <v-****@online.mic rosoft.com> wrote in message
news:UZ******** *****@TK2MSFTNG XA02.phx.gbl... Hi TS,

What do you mean by executing a system command? If the assembly is comming
from an untrusted source, I suggest you create a code group and not giving
the assembly full permission for executing.

Kevin Yu
=======
"This posting is provided "AS IS" with no warranties, and confers no
rights."

Jan 12 '06 #7
Hi TS,

In this case, I think the best way is to give the assembly limited
permission set, so that the assembly will not do anything harmful if the
xml is hijacked.

Kevin Yu
=======
"This posting is provided "AS IS" with no warranties, and confers no
rights."

Jan 13 '06 #8
TS
can i give permissions embedded in the code so that no server or environment
changes have to be done?
"Kevin Yu [MSFT]" <v-****@online.mic rosoft.com> wrote in message
news:fl******** ******@TK2MSFTN GXA02.phx.gbl.. .
Hi TS,

In this case, I think the best way is to give the assembly limited
permission set, so that the assembly will not do anything harmful if the
xml is hijacked.

Kevin Yu
=======
"This posting is provided "AS IS" with no warranties, and confers no
rights."

Jan 13 '06 #9
Hi TS,

This policy cannot be set from the code. Because if it can be set by code,
the hackers can also do that. Then it will be no use. It can only be set
from the .NET configuration setting from in the administrative tools.

Kevin Yu
=======
"This posting is provided "AS IS" with no warranties, and confers no
rights."

Jan 16 '06 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

0
1891
by: Roel Wuyts | last post by:
CALL FOR CONTRIBUTIONS International Workshop on Revival of Dynamic Languages http://pico.vub.ac.be/~wdmeuter/RDL04/index.html (at OOPSLA2004, Vancouver, British Columbia, Canada, October 24-28, 200) Organization committee: Roel Wuyts (primary contact - roel.wuyts@ulb.ac.be), Gilad Bracha, Wolfgang De Meuter, Stéphane Ducasse and Oscar Nierstrasz.
0
1448
by: raca | last post by:
I am trying to create a generic SOA ServiceInvoker that will accept an XML string that will be used to deserialize an object generated by XSDObjectGen. The hierarchy goes like this: Requests...Request (1..n)... Payload (1)... PayloadCollection (1) ... Payload (0...n) I have the knowledge about the root object Responses which I can create directly. However I don't know what is the type for Request and Payload (These will be versioned...
5
10971
by: Krishnan | last post by:
Hi, Sorry if this is a cross-post. Wondering if there is any way to genrate Windows UI from an xml file just as one would load a Web UI as HTML from an XML using XSLT. Please do let me know if you have any ideas. Assume that the xml contains UI info (i.e., which is the control to display the info on etc). One obvious, but tedious way is to manually parse the xml and generate controls using new() and fill in data, but am looking for more...
3
1312
by: Stephen Gennard | last post by:
Hello, I having a problem dynamically invoking a static method that takes a reference to a SByte*. If I do it directly it works just fine. Anyone any ideas why? I have include a example below... --
4
8483
by: Tamir Khason | last post by:
Is it possible (as was in VB - CallByName) to call function which name was generated. Example: private static void DS_function() { } private static void FD_function() {
7
371
by: John | last post by:
I have a class the reads in a file and sets the values of the file into its properties. This class is used to populate the data onto a form. This form has controls created at runtime based on user input (file values when file is opened). I was hoping to put the name of the property in the tag of each control and fire an event if the a file is open when the control is created and use the tag to get the correct property from the class. ...
7
22488
by: Mike Livenspargar | last post by:
We have an application converted from v1.1 Framework to v2.0. The executable references a class library which in turn has a web reference. The web reference 'URL Behavior' is set to dynamic. We added an entry to the executable's .exe.config file to specify the URL, and under the 1.1 framework this worked well. Unfortunately, this is not working under the 2.0 framework. I see in the Reference.cs file under the web service reference the...
2
3638
by: Luis Arvayo | last post by:
Hi, In c#, I need to dynamically create types at runtime that will consist of the following: - inherits from a given interface - will have a constructor with an int argument
3
3333
by: cwertman | last post by:
I have a question regarding dynamic properties. I have an Object say Account --Id --Prefix --Fname --Lname --Suffix
0
8888
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
0
8752
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
9401
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
1
9174
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
9111
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
1
6702
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
6011
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
1
3221
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
3
2157
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.