Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Parser Context Security #38

Open
sl0burn opened this issue Jul 21, 2021 · 1 comment
Open

Parser Context Security #38

sl0burn opened this issue Jul 21, 2021 · 1 comment
Labels

Comments

@sl0burn
Copy link

sl0burn commented Jul 21, 2021

Not an issue but a question - company I work for is interested in using the library but wants to know what security constraints are imposed within the parser context.
Specifically things that help avoid equivalent of sql injection attacks.

@VitaliyMF
Copy link
Contributor

LambdaParser doesn't produce SQL code -- so I'm not sure why you mentioned "sql injection attacks". Note that LambdaParser is not suitable for parsing expressions that may be directly used with, say, EntityFramework.

LambdaParser is often used to evaluate user-defined expressions, and it is designed to have a 'safe' evaluation context in meaning that expression can use only 'context' objects and cannot access any APIs beyond this context (= so you can control what objects and their methods/properties could be used in the expression). In particular, it is not possible to call static/extension methods; weak point could be possibility to call Object.GetType() (and potentially use a reflection for the context's object) but it's easy to add an option to prohibit usage of "GetType" method.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants