I'm building an application that will load untrusted assemblies for inspection (i.e. retrieval of the assembly full name). For security reasons, I'm trying to think of a way that these assemblies could be written that would allow them to execute code when loaded. I haven't code up with a method yet, but wanted to throw it out here to see if anyone could.
I'm aware that I could load these assemblies into an untrusted app domain, effectively stopping them from doing almost anything, but I wanted to avoid the complexity if it's un-needed.
Specifically, I will be calling Assembly.Load and <LoadedAssebmly>.FullName. Maybe there's a better way to load the assembly name without using the Assembly class?
Thanks,
Matt
First of all, there's the AssemblyName class. It allows you to find the assembly's name without loading it. Second, you can load assemblies using Assembly.ReflectionOnlyLoad, which uses the reflection-only context -- no code can be executed from such an assembly.
Yes, it is possible: .Net: Running code when assembly is loaded
I suggest, you use a method to inspect the assembly, that doesn't load it, i.e. Mono.Cecil
Related
To be more specific, when a cshtml is needed, what happens? I would need to build an application with only ashx and a template engine, without the MVC stuffs, simple rendering, but i would'not like to loose the capability to change the cshtml files on the fly. So I have somehow to manage their recompilation, possibly without recycling the application server loading and unloading AppDomains.
On the first request I can build the page and load it in a sort of cache (like RazorEngine on codeplex), then reuse it. When the page changes i should change the page and that's it.
But as far as I understood a new assembly is built for every page, so if there are frequent changes (that is likely to happens in my environment) tons of assemblies will get loaded.
The question is,
How it works for the standard MVC ?
CodeDom is used, or directly IL that is subsequently added without creating new assemblies?
One thing that comes me in mind now is that after building the assembly, it can be decompiled and then the IL loaded directly on the app, that would make sense
Ask for further clarification if it's unclear! (and any suggestion to this Stackoverflow newbie is welcome)
Ok,
First the cshtml files are loaded then the files are compild into their own assemblies with the standard CSharp/VbCodeCompiler, no code dom is present as far as i understood...
I have a system which was using Ninject and loading assemblies using the file pattern kernel load method. Things were working fine with this setup.
A new requirement for the application was to bundle everything into a single exe. We used the technique described here for that. Thus to register everything with Ninject we needed to load the assemblies and call the kernel load for each assembly. However, this would not work. Ninject would always fail even though the binding was registered. I saw it in the debugger as being registered and it worked in the immediate window, but not in the code.
The only solution we found was to manually register each NinjectModule.
Is it possible to use Ninject when the assembly is bundled inside of another one?
The only solution was to manually pass in references to the NinjectModule.
I'm using a custom framework that uses reflection to do a GetTypeByName(string fullName) on the fully-qualified type name that it gets from the database, to create an instance of said type and add it to the page, resulting in a standard modular kind of thing.
GetTypeByName is a utility function of mine that simply iterates through Thread.GetDomain().GetAssemblies(), then performs an assembly.GetType(fullName) to find the relevant type. Obviously this result gets cached for future reference and speed.
However, I'm experiencing some issues whereby if the web.config gets updated (and, in some scarier instances if the application pool gets recycled) then it will lose all knowledge of certain assemblies, resulting in the inability to render an instance of the module type. Debugging shows that the missing assembly literally does not exist in the current thread assemblies list.
To get around this I added a second check which is a bit dirty but recurses through the /bin/ directory's DLLs and checks that each one exists in the assemblies list. If it doesn't, it loads it using Assembly.Load and fixing the context issue thanks to 'Solving the Assembly Load Context Problem'.
This would work, only it seems that (and I'm aware this shouldn't be possible) some projects still have access to the missing assembly, for example my actual web project rather than the framework itself - and it then complains that duplicate references have been added!
Has anyone ever heard of anything like this, or have any ideas why an assembly would simply drop out of existence on a config change? Short of a solution, what is the most elegant workaround to get all the assemblies in the bin to reload? It needs to be all in one "hit" so that the site visitors don't see any difference other than a small delay, so an app_offline.htm file is out of the question. Programatically renaming a DLL in the bin and then naming it back does work, but requires "modify" permissions for the IIS user account, which is insane.
Thanks for any pointers the community can gather!
Generally, you should avoid relying on what assemblies are currently loaded in an appdomain, as that happens dynamically. Instead, simply call System.Web.Compilation.BuildManager.GetType() instead of Type.GetType() or Assembly.GetType(). This should just do the right thing for you, and not be affected by appdomain cycles.
As you obviously know, there are many situations where the current appdomain is unloaded and reloaded. After each reload, all assemblies are unloaded and the whole application starts running "from scratch".
Assemblies are by default loaded on demand. Usually that is the case when the JIT stumbles across some reference. In consequence, a appdomain reload will clear out the assemblies in the appdomain and they will only appear again later on when the JIT loads them.
As solution I'd rever to using the static Type.GetType() method and supply an assembly qualified name (e.g. a type name with the assembly name included). That's the same thing the framework uses when loading types specified in the config file, and it will make sure that the required assembly is searched and loaded on demand without using any tricks. See the remarks section of the method above (the method name above name is a link).
This will require updates to your database to hold assembly qualified names instead of "only" fully qualified type names. However, it also makes sure that you don't run into name collisions when two assemblies provide different type with the same name, so this is a good idea anyways I think.
I've never heard of this problem before.
I'm not sure if this will work, as I only recently read about it while researching workarounds to ODAC dependencies, but specifying the probing path for assemblies may fix your issue.
see: http://msdn.microsoft.com/en-us/library/823z9h8w(VS.80).aspx
sample:
<configuration>
<runtime>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<probing privatePath="bin;bin2\subbin;bin3"/>
</assemblyBinding>
</runtime>
</configuration>
I have a similar problem, when I update 2-5 files, ether web.config, ether other files, and asp.net needs to recreate the running files, then some times did not find some classes/function that exist on dll files, and my system is not working - throw errors like yours.
My solution to that is that I place the app_offline.htm on the root, make my updates, then rename/remove the app_offline.htm and my system works fine.
I am sure that have something to do with the cached compiled files, but I did not have deaply search whats exactly cause that.
[what is the most elegant workaround to get all the assemblies in the bin to reload]
Now what is the most elegant workaround on this is to call the HttpRuntime.UnloadAppDomain and actually make your application to stop and starts again.
http://msdn.microsoft.com/en-us/library/system.web.httpruntime.unloadappdomain(VS.80).aspx
I do not know if this solve your issue, you need to make tests.
probably on Global.asax make something like that
void Application_Error(object sender, EventArgs e)
{
Exception ex = Server.GetLastError().GetBaseException();
...if ex is your error, and you get more than 2 ...
{
HttpRuntime.UnloadAppDomain();
}
}
I would try to create some basic class from which assembly, which is interesting for you without reflection on Application Start to make sure it is loaded.
E.g.
var temp = new BaseModuleBuilder();
This do not look smart, but it is very straitforward and asp.net should do everything for you. In case when your list is too dynamic, it could be something like
var temp = Activator.CreateInstance(Type.GetType("BaseModuleBuilder, Modules.dll"));
Make sure to always specify DLL when working with dynacmically loaded classes.
I have a ASP.net application that is referencing a external assembly that I need to dynamically load and discover any types implementing a known interface. The problem I am having is that the type I reflect does not match the same interface that is running and so I cannot cast it.
Example:
This code is run in ASP.net app.
var assembly = Assembly.LoadFile(Path.Combine(HttpRuntime.BinDirectory, "ExternalAssembly.dll"));
var type = assembly.GetExportedTypes().First<Type>(x => x.Name == "AClass"); // AClass implements IAInterface
var reflectedInterface = type.GetInterface(typeof(IAmAInterface).ToString());
if (reflectedInterface != typeof(IAmAInterface))
throw new Exception("This makes me sad"); // This code gets run
The only difference I can see between the reflected interface I loaded from the bin and the interface returned from typeof is that the typeof assembly has a location in the temp ASP.net path (C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\root\08c43c8b\3adac8cf\assembly\dl3\eb7a4127\0235ea60_a3c8c901\ReflectionTest.DLL)
Thanks Paul Alexander I have changed the code to use the Assembly.Load method not Assembly.LoadFile which solves the problem.
wwilden: I also tried extracting the interface into it's own assembly and this does also solve the problem.
When you use LoadFile the assembly is not loaded into the same context as your other assemblies at runtime so to the CLR interface runtime types are different. You can read more in Suzanne Cook's Debugging Assembly Load Failures.
If the assembly that you're loading is already in the Bin directory - you can load it by name. You don't need to know the exact path as the Bin folder is already in the assembly probing path.
Where is your interface type defined? Does it exist both in the reflected assembly as well as in the application itself? Then you actually have two different interfaces, even though they have the same namespace and name.
What you need to do is extract the interface from the reflected assembly and put it into another assembly that you refer to both from the reflected assembly as well as your application. Then it should work.
Apart from your problem, if you have a lot of assemblies to dynamically load, remember that they will remain in memory until the ASP.NET worker process reloads. This could influence your server's performance.
You could load the assemblies in a separate AppDomain (the smallest unit that is possible to unload), load a proxy class in that AppDomain which you reference with .NET remoting. Once finished, you unload the AppDomain.
There is an interesting article over at CodeProject about a situation like this. Where you have a class that has a structure that is identical with an interface without implementing the interface itself. The article outlines a method of dynamically creating wrapper classes that implement the needed interface. It could be helpful in your situation.
I heard from a friend that asp.net relies on/uses a Windows forms class. I tried to figure out which class that might be.
The only class I found was System.Web.UI.WebControls.FontInfo
with the property public string[] Names
that has an Attribute Editor("System.Windows.Forms.Design.StringArrayEditor--snip")
Is there a reference to the Windows.Forms.dll from System.Web.dll?
I think there is a reference from System.Web, Version 2.0.0.0 to System.Windows.Forms.
Check out System.Web.Compilation.ResXBuildProvider.GetResourceReader(Stream) in Reflector.
On line one: ResXResourceReader reader = new ResXResourceReader(inputStream);
ResXResourceReader is from System.Windows.Forms, Version 2.0.0.0
I was curious because I noticed System.Windows.Forms in the loaded modules window in Visual Studio.
ildasm System.web.dll /out =System.Web.il let me quickly search for System.Windows.Forms references. I couldn’t quickly figure out a way to do it from reflector.
There is no reference, and not System.Windows.Forms either.
The StringArrayEditor is a UITypeEditor in the System.Design assembly. This does not get loaded unless used except at design time, when it will be 'lazy-loaded'.
First of all, I am not sure such an existence.
But Namespace or classname doesn't necessary mean you need a reference to Windows.Forms.dll. You can define "System.Windows.Forms.Design.StringArrayEditor" in an assembly outside Windows.Forms.dll.
If you look at the System.Web assembly in the handy Reflector tool, you will see that there is indeed a reference from System.Web to System.Windows.Forms. However, if you use one of the plugins for Reflector that will export the reverse engineered code to files (e.g. FileGenerator), and then search through that, there is no actual use of System.Windows.Forms. Since the .Net runtime will only load assemblies when they are actually needed, the WinForms assembly should never actually be loaded through any usage of System.Web.
Add me to the list of skeptics. But more importantly, it doesn't matter. The way the .Net framework is set up for linking adding or removing a dependance on any of the core assemblies that ship with the framework won't really impact performance in any meaningful way.