471,337 Members | 850 Online
Bytes | Software Development & Data Engineering Community
Post +

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 471,337 software developers and data experts.

dynamic reflection from xml file security

TS
i have code that creates assemblies and classes from the assemlby and
methods from the classes to set properties of dynamically created controls.

How i should go about validating the assemblies, classes, & properties
declared in the xml file?

Thanks
Jan 9 '06 #1
9 1525
TS,

Can you be more specific with what you mean by validating? How are
these things declared in the XML file?

If you are creating an assembly, then you are using the reflection
api's, or you are generating C# code and compiling on the fly. Either, way,
you should get an error if the code is not valid.

Can you provide more information?
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard.caspershouse.com

"TS" <ma**********@nospam.nospam> wrote in message
news:e4**************@TK2MSFTNGP11.phx.gbl...
i have code that creates assemblies and classes from the assemlby and
methods from the classes to set properties of dynamically created controls.

How i should go about validating the assemblies, classes, & properties
declared in the xml file?

Thanks

Jan 9 '06 #2
TS
controlAssemblyTypeName="XXX.XXXXX.Web"
controlTypeName="XXX.XXXXX.Web.Controls.StandardCr iteria"

And then there are xml sub elements listing all the properties to set on the
standard criteria class

I am using the following method to find the assembly based on the name
declared in xml file and using it to instantiate the class declared in
controlTypeName:

private Assembly GetAssembly(string assemblyTypeName){

foreach(Assembly assembly in AppDomain.CurrentDomain.GetAssemblies()){

if(assembly.GetName().Name == assemblyTypeName)
return assembly;
}

return null;

}

This could let them find a System assembly

Later to create the class instance i do the following:

// Use reflection to create control
control = (Control) assembly.CreateInstance(controlTypeName);

"Nicholas Paldino [.NET/C# MVP]" <mv*@spam.guard.caspershouse.com> wrote in
message news:O7**************@TK2MSFTNGP14.phx.gbl...
TS,

Can you be more specific with what you mean by validating? How are
these things declared in the XML file?

If you are creating an assembly, then you are using the reflection
api's, or you are generating C# code and compiling on the fly. Either,
way, you should get an error if the code is not valid.

Can you provide more information?
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard.caspershouse.com

"TS" <ma**********@nospam.nospam> wrote in message
news:e4**************@TK2MSFTNGP11.phx.gbl...
i have code that creates assemblies and classes from the assemlby and
methods from the classes to set properties of dynamically created
controls.

How i should go about validating the assemblies, classes, & properties
declared in the xml file?

Thanks


Jan 9 '06 #3
TS,

Ok, I kind of understand what you are doing now.

In order to load the assembly, you don't have to check the assemblies in
the current domain. Rather, you should just call one of the Load methods in
the Assembly class. If the assembly is loaded already, then it will return
that. If not, it will load the assembly.

To get the type, call the GetType method on the Assembly instance that
you loaded.

Then, you call CreateInstance on the Activator class to create the
instance.

From there, you can call GetProperty on the Type to get the property,
and then call the SetValue method on the PropertyInfo returned from the call
to GetProperty to set the value (passing in your instance returned from
CreateInstance).
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard.caspershouse.com

"TS" <ma**********@nospam.nospam> wrote in message
news:e5****************@TK2MSFTNGP11.phx.gbl...
controlAssemblyTypeName="XXX.XXXXX.Web"
controlTypeName="XXX.XXXXX.Web.Controls.StandardCr iteria"

And then there are xml sub elements listing all the properties to set on
the standard criteria class

I am using the following method to find the assembly based on the name
declared in xml file and using it to instantiate the class declared in
controlTypeName:

private Assembly GetAssembly(string assemblyTypeName){

foreach(Assembly assembly in AppDomain.CurrentDomain.GetAssemblies()){

if(assembly.GetName().Name == assemblyTypeName)
return assembly;
}

return null;

}

This could let them find a System assembly

Later to create the class instance i do the following:

// Use reflection to create control
control = (Control) assembly.CreateInstance(controlTypeName);

"Nicholas Paldino [.NET/C# MVP]" <mv*@spam.guard.caspershouse.com> wrote
in message news:O7**************@TK2MSFTNGP14.phx.gbl...
TS,

Can you be more specific with what you mean by validating? How are
these things declared in the XML file?

If you are creating an assembly, then you are using the reflection
api's, or you are generating C# code and compiling on the fly. Either,
way, you should get an error if the code is not valid.

Can you provide more information?
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard.caspershouse.com

"TS" <ma**********@nospam.nospam> wrote in message
news:e4**************@TK2MSFTNGP11.phx.gbl...
i have code that creates assemblies and classes from the assemlby and
methods from the classes to set properties of dynamically created
controls.

How i should go about validating the assemblies, classes, & properties
declared in the xml file?

Thanks



Jan 10 '06 #4
TS
Ok, i have it working now, but your way is probably better...but what about
validating the assembly and class entered in the xml file...in case the xml
file was hijacked and they maybe used a system assembly and tried to execute
system commands, etc. How do i lock down this type of interface?

thanks

"Nicholas Paldino [.NET/C# MVP]" <mv*@spam.guard.caspershouse.com> wrote in
message news:eN**************@TK2MSFTNGP10.phx.gbl...
TS,

Ok, I kind of understand what you are doing now.

In order to load the assembly, you don't have to check the assemblies
in the current domain. Rather, you should just call one of the Load
methods in the Assembly class. If the assembly is loaded already, then it
will return that. If not, it will load the assembly.

To get the type, call the GetType method on the Assembly instance that
you loaded.

Then, you call CreateInstance on the Activator class to create the
instance.

From there, you can call GetProperty on the Type to get the property,
and then call the SetValue method on the PropertyInfo returned from the
call to GetProperty to set the value (passing in your instance returned
from CreateInstance).
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard.caspershouse.com

"TS" <ma**********@nospam.nospam> wrote in message
news:e5****************@TK2MSFTNGP11.phx.gbl...
controlAssemblyTypeName="XXX.XXXXX.Web"
controlTypeName="XXX.XXXXX.Web.Controls.StandardCr iteria"

And then there are xml sub elements listing all the properties to set on
the standard criteria class

I am using the following method to find the assembly based on the name
declared in xml file and using it to instantiate the class declared in
controlTypeName:

private Assembly GetAssembly(string assemblyTypeName){

foreach(Assembly assembly in AppDomain.CurrentDomain.GetAssemblies()){

if(assembly.GetName().Name == assemblyTypeName)
return assembly;
}

return null;

}

This could let them find a System assembly

Later to create the class instance i do the following:

// Use reflection to create control
control = (Control) assembly.CreateInstance(controlTypeName);

"Nicholas Paldino [.NET/C# MVP]" <mv*@spam.guard.caspershouse.com> wrote
in message news:O7**************@TK2MSFTNGP14.phx.gbl...
TS,

Can you be more specific with what you mean by validating? How are
these things declared in the XML file?

If you are creating an assembly, then you are using the reflection
api's, or you are generating C# code and compiling on the fly. Either,
way, you should get an error if the code is not valid.

Can you provide more information?
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard.caspershouse.com

"TS" <ma**********@nospam.nospam> wrote in message
news:e4**************@TK2MSFTNGP11.phx.gbl...
i have code that creates assemblies and classes from the assemlby and
methods from the classes to set properties of dynamically created
controls.

How i should go about validating the assemblies, classes, & properties
declared in the xml file?

Thanks



Jan 10 '06 #5
Hi TS,

What do you mean by executing a system command? If the assembly is comming
from an untrusted source, I suggest you create a code group and not giving
the assembly full permission for executing.

Kevin Yu
=======
"This posting is provided "AS IS" with no warranties, and confers no
rights."

Jan 12 '06 #6
TS
>If the assembly is comming
from an untrusted source, I suggest you create a code group and not giving
the assembly full permission for executing. The only assemblies would be framework assemblies
What do you mean by executing a system command? I mean is there any class in the .net framework that by ONLY instantiating
it and optionally setting some of its properties would could cause a
security risk or other ill effects?

See, i am allowing server controls to be instantiated by supplying its name
and assembly name for the sole purpose of dynamically putting it on a web
page as well as setting properties of that control thru the xml. Methods of
the control are not envoked, on thing supplied to option to set properties
of this control.

I want to make sure i don't have a security risk in my xml file that could
get hijacked on the server and be manipulated in some way to do harm or
other issues to a production box.

thanks

"Kevin Yu [MSFT]" <v-****@online.microsoft.com> wrote in message
news:UZ*************@TK2MSFTNGXA02.phx.gbl... Hi TS,

What do you mean by executing a system command? If the assembly is comming
from an untrusted source, I suggest you create a code group and not giving
the assembly full permission for executing.

Kevin Yu
=======
"This posting is provided "AS IS" with no warranties, and confers no
rights."

Jan 12 '06 #7
Hi TS,

In this case, I think the best way is to give the assembly limited
permission set, so that the assembly will not do anything harmful if the
xml is hijacked.

Kevin Yu
=======
"This posting is provided "AS IS" with no warranties, and confers no
rights."

Jan 13 '06 #8
TS
can i give permissions embedded in the code so that no server or environment
changes have to be done?
"Kevin Yu [MSFT]" <v-****@online.microsoft.com> wrote in message
news:fl**************@TK2MSFTNGXA02.phx.gbl...
Hi TS,

In this case, I think the best way is to give the assembly limited
permission set, so that the assembly will not do anything harmful if the
xml is hijacked.

Kevin Yu
=======
"This posting is provided "AS IS" with no warranties, and confers no
rights."

Jan 13 '06 #9
Hi TS,

This policy cannot be set from the code. Because if it can be set by code,
the hackers can also do that. Then it will be no use. It can only be set
from the .NET configuration setting from in the administrative tools.

Kevin Yu
=======
"This posting is provided "AS IS" with no warranties, and confers no
rights."

Jan 16 '06 #10

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

5 posts views Thread by Krishnan | last post: by
3 posts views Thread by Stephen Gennard | last post: by
4 posts views Thread by Tamir Khason | last post: by
7 posts views Thread by John | last post: by
7 posts views Thread by Mike Livenspargar | last post: by
2 posts views Thread by Luis Arvayo | last post: by
3 posts views Thread by cwertman | last post: by

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.