Can an app running user-supplied C# code (i.e Microsoft.CodeAnalysis.CSharp.Scripting) ever truly be protected from the script being executed? Use case might be - app supplies an object with a payload that the script can interact with and modify and then the app does further processing on the object returned by the script.
With no measures in place a malicious script could for example introduce reflection and start doing things outside of what the app intends. There's standard measures like restricting namespaces etc. but I'm concerned that this approach treats isolation with ever more fixes for edge cases when what is needed is a fully locked down execution environment that is then opened up as needed.
What's the current state of script execution isolation for C#. Is executing user-supplied code in an app a security non-starter?
With no measures in place a malicious script could for example introduce reflection and start doing things outside of what the app intends. There's standard measures like restricting namespaces etc. but I'm concerned that this approach treats isolation with ever more fixes for edge cases when what is needed is a fully locked down execution environment that is then opened up as needed.
What's the current state of script execution isolation for C#. Is executing user-supplied code in an app a security non-starter?
