C Sharp Compile From Untrusted Input
Description
Detects potentially dangerous dynamic code compilation in C# applications using CompileAssemblyFromSource. This vulnerability allows attackers to inject and execute arbitrary C# code at runtime if untrusted input is compiled, which could lead to complete system compromise.
Detection Strategy
• Identifies calls to CompileAssemblyFromSource method in the code
• Checks if the source code being compiled contains or is derived from untrusted input
• Reports a vulnerability when dynamic compilation is used with potentially untrusted input sources
Vulnerable code example
using System.CodeDom.Compiler;
public class UnsafeCompiler
{
public void CompileUserCode(string userInput)
{
// VULNERABLE: Directly using untrusted input in dynamic code compilation
string code = @"...✅ Secure code example
using System.CodeDom.Compiler;
using System.Text.RegularExpressions;
using System.Security;
public class SafeCompiler
{
public void CompileUserCode(string userInput)
{...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.