How dangerous is it to let users specify RazorEngine templates?

Question

I have mail-merge like functionality, which takes a template, some business object, and produces html which is then made into PDF.

I\'m using RazorEngine to do the t

Answer 1

I believe that having removed using statements and replacing any @System.[...] like System.IO.File.Delete(filepath) using regex can reduce a fair amount of possible security holes.

Keep in mind that the Template runs inside a context and can access only what is available in it but that includes also .NET Framework assemblies.

Answer 2

A cshtml Razor file is able to execute any. NET code in the context of the site so yes, it is a security risk to permit them to be supplied by users.

You would be better served by accepting a more general HTML template, with custom tokens to input Model data.

Answer 3

In version 3 I've introduced an IsolatedTemplateService which supports the parsing/compiling of templates in another AppDomain. You'll be able to control the creation of the application domain that templates will be compiled in, which means you can introduce whatever security requirements you want by applying security policies to the child application domain itself.

In future pushes, I am hoping to introduce a generic way for adding extensions to the pipeline, so you can do things like code generation inspection. I would imagine this will enable scenarios for type checking of the generated code before it is compiled.

I pushed an early version of RazorEngine (v3) onto GitHub a few days ago. Feel free to check it out. https://github.com/Antaris/RazorEngine