执行不受信任的代码
我正在构建一个使用插件的 C# 应用程序。应用程序必须向用户保证插件不会在用户计算机上为所欲为,并且拥有比应用程序本身更少的权限(例如,应用程序可以访问自己的日志文件,而插件则不能) 。
我考虑了三种选择。
使用 System.AddIn。我首先尝试了这个替代方案,因为它看起来非常强大,但每次我想修改某些内容时都需要在七个不同的项目中修改相同的代码七次,我真的很失望。此外,即使是一个简单的 Hello World 应用程序,也有大量问题需要解决。
使用System.Activator.CreateInstance(程序集名称,类型名称)。这是我在应用程序的先前版本中使用的。我再也不能使用它,因为它没有提供限制权限的方法。
使用 System.Activator.CreateInstance(AppDomain 域,[...])。这就是我现在正在尝试实现的,但似乎唯一的方法是通过 ObjectHandle,这需要对每个使用的类进行序列化。尽管插件包含不可序列化的 WPF UserControls。
那么有没有办法创建包含 UserControls 或其他不可序列化对象的插件并使用自定义 PermissionSet 执行这些插件?
I'm building a C# application which uses plug-ins. The application must guarantee to the user that plug-ins will not do whatever they want on the user machine, and will have less privileges that the application itself (for example, the application can access its own log files, whereas plug-ins cannot).
I considered three alternatives.
Using System.AddIn. I tried this alternative first, because it seamed much powerful, but I'm really disappointed by the need of modifying the same code seven times in seven different projects each time I want to modify something. Besides, there is a huge number of problems to solve even for a simple Hello World application.
Using System.Activator.CreateInstance(assemblyName, typeName). This is what I used in the preceding version of the application. I can't use it nevermore, because it does not provide a way to restrict permissions.
Using System.Activator.CreateInstance(AppDomain domain, [...]). That's what I'm trying to implement now, but it seems that the only way to do that is to pass through ObjectHandle, which requires serialization for every used class. Although plug-ins contain WPF UserControls, which are not serializable.
So is there a way to create plug-ins containing UserControls or other non serializable objects and to execute those plug-ins with a custom PermissionSet ?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您可以做的一件事是将当前 AppDomain 的策略级别设置为受限权限集,并添加证据标记以根据强名称或位置进行限制。最简单的可能是要求插件位于特定目录中并给它们一个限制性策略。
例如,
当然,这没有经过严格的测试,而且 CAS 策略非常复杂,因此始终存在此代码可能允许某些内容绕过策略的风险,YMMV :)
One thing you could do is set the current AppDomain's policy level to a restricted permission set and add evidence markers to restrict based on strong name or location. The easiest would probably be to require plugins are in a specific directory and give them a restrictive policy.
e.g.
Of course this isn't rigorously tested and CAS policy is notoriously complex so there is always a risk that this code might allow some things to bypass the policy, YMMV :)