473,473 Members | 4,257 Online
Bytes | Software Development & Data Engineering Community
Create Post

Home Posts Topics Members FAQ

Running runtime code and security

balabaster
797 Recognized Expert Contributor
I'd like to include the ability for users to be able to script certain extensibility themselves for an application, i.e. they can create their own add-on scripts in a somewhat similar way to the Microsoft Office suite. However, to throw a security wrench in the works, the software is being built as a web application. So I'd like to know how I go about putting these user scripts in a sandbox so they can't bugger around with things they're not supposed to. For instance, the file system, databases and other such stuff. They should only be able to evaluate logical data that exists in the context of the expression and contained variables.

Has anyone had to do this before? If so, what approach did you take?
Sep 2 '08 #1
2 1116
Plater
7,872 Recognized Expert Expert
Wow. I was about to link to your own post about creating the expression evaluator when I realized it was already you asking the question.
I really do NOT like the new "first message" format.

You could restrict them to applying their scripts on things contained in their own Session object, then control what can and cannot be put into the session object?
Sep 2 '08 #2
balabaster
797 Recognized Expert Contributor
Wow. I was about to link to your own post about creating the expression evaluator when I realized it was already you asking the question.
I really do NOT like the new "first message" format.

You could restrict them to applying their scripts on things contained in their own Session object, then control what can and cannot be put into the session object?
Hehe, the math part of the equation was a cakewalk - now I'm getting into the logic part of the equation...which I'm still looking for inspiration on. I have some ideas:

CodeDom.Compiler - Not sure if or how I can sandbox this to prevent security issues, probably using thread.principal to verify security permissions - but then I have to worry about system security outside of the application, which to be honest, I'm not enthused about.

Custom Parser - Probably the way I will go because it's the only way I can think of to create a sandbox to prevent security issues.

Domain Specific Languages - not sure if this is a dead end or not yet, I havent finished my investigation... but so far, it's looking like more work than I wanted to put in for such a minor piece of the application.

I was just reading a nifty article about parse trees by a guy called John Kennedy at Santa Monica College and it took me back to my university days. It's definitely something that anyone trying to tackle this type of challenge should read - it's at:

http://homepage.smc.edu/kennedy_john/PARSETREES.PDF

Alas, all the code contained within is in Pascal - so probably not useful to everyone. But I found it pretty interesting...

Sadly, it only really takes me part way - the equation evaluator - and to be honest, my equation evaluator is about as advanced as it needs to be for this application, and only took half as much technical ingenuity to code it - it takes the exact same route as if you'd figured it out by hand and the pattern recognition approach a human uses. If I needed something more advanced I would pursue the parse trees and probably build something more technically advanced to cover the greater scope.

Right now though, I think it just boils down to inspiration, I've not come across anything sexy enough. All the solutions I've come across are either just ugly or are not only ugly, but far more code than I think should be necessary...
Sep 3 '08 #3

Sign in to post your reply or Sign up for a free account.

Similar topics
9
Runtime error while running web application on remote machine
by: Marina Anufreichik | last post by:
Hi, After deploymnet web application on web server I can access page on local machine and login fine but when I'm trying to access web site from remote machine I can see login page, but when I'm...
Latest Bytes
8
Running GUI application in separate application domain
by: nickdu | last post by:
I'm trying to isolate "applications" into their own application domain within a single process. I've quoted applications because it's a logical representation of an application. Basically it...
Latest Bytes
4
Running in Runtime
by: Pachydermitis | last post by:
Hi, I am distributing an access database to systems that all have office installed on them. Is there any way to force this database to run in runtime mode - other than the /runtime switch? Are...
Latest Bytes
2
System.Security.SecurityException thrown when running app from network drive.
by: David Lindgren | last post by:
Hello! When I am trying to run my .NET application from a network drive a System.Security.SecurityException exception is thrown. Why is that? How do I prevent it? Thanks! /David.
Latest Bytes
1
.NET security exception when running from the server...........
by: Robin Tucker | last post by:
Hi, I recently wrote a really simple key generator for our software. It is designed so that it is only capable of being run from a given server, by checking an encrypted MAC address and other...
Latest Bytes
2
Security / Permissions problems running over network!
by: leeedw | last post by:
Hi All, I have a windows app that runs perfectly on my machine, but when I try to run it over the network it bombs. I get a permissions error. Here is the code, I even tried adding...
Latest Bytes
1
How to specify security access for assembly running in ASP.NET
by: Shimon Sim | last post by:
How to specify security access for assembly running in ASP.NET? FxCop requests it always and I always ignore it. I am thinking that this is good thing to know how to do. I usually need the...
Latest Bytes
4
RunTime Error - After my web site running 2 or 3 days
by: news.citenet.net | last post by:
I keep getting the following error message after my web site running 2 or 3 days I share one folder with about 200 domain names Any one can help? ...
Latest Bytes
9
How do I check if app is running in Visual Studio or via executing exe file?
by: Michael.Suarez | last post by:
Suppose I have a program that prompts you with a dialogbox to enter a password. If you get the password correct, it allows you into the program, else it kills the program. Suppose that when I...
Latest Bytes
4
Running macros in Access 2007 Runtime on Vista
by: jackbenimble999 | last post by:
Hello! Has anyone had trouble running macros on the Access runtime version on Vista? I tried enabling macros in the trust center, and thought for sure this would solve the problem! But, alas, my...
Latest Bytes
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Latest Bytes
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
Latest Bytes
1
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
Latest Bytes
0
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
Latest Bytes
0
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
Latest Bytes
1
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new...
Latest Bytes
0
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and...
Latest Bytes
0
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated ...
Latest Bytes
0
muto222
php
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
Latest Bytes

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us