I have create a new "Test Project" and an Unit Test class in order to test the following code inside:<div><br></div><div><div>AppDomain aSandboxedDomain = AppDomain.CreateDomain("Sandboxed Domain");</div>
<div>ScriptEngine engine = Python.CreateEngine(aSandboxedDomain);</div><div>ScriptSource source = engine.CreateScriptSourceFromString(pythonScript);</div><div>ScriptScope scope = engine.CreateScope();</div><div>source.Execute(scope);</div>
<div><br></div><div><br></div>I have add the references:</div><div><br></div><div>- IronPython</div><div>- Microsoft.Scripting</div><div>- Microsoft.ScriptingCore</div><div><br></div><div>But it still not working and throwing the same System.Runtime.Serialization.SerializationException: Type is not resolved for member 'Microsoft.Scripting.Hosting.ScriptRuntimeSetup,Microsoft.Scripting.</div>
<div><br></div><div>Any ideas?</div><div><br></div><div><br><div class="gmail_quote">2009/11/3 Nicolás Buttarelli <span dir="ltr"><<a href="mailto:nbuttarelli@gmail.com">nbuttarelli@gmail.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Thanks Shri, I will try.<div><br></div><div>In addition, I found this open issue: <a href="http://dlr.codeplex.com/WorkItem/View.aspx?WorkItemId=2816" target="_blank">http://dlr.codeplex.com/WorkItem/View.aspx?WorkItemId=2816</a>. I think that it is related.<div>
<div></div><div class="h5"><br>
<br><div class="gmail_quote">On Tue, Nov 3, 2009 at 9:29 PM, Shri Borde <span dir="ltr"><<a href="mailto:Shri.Borde@microsoft.com" target="_blank">Shri.Borde@microsoft.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">I think this happens if the new appdomain cannot load the required
assembly. By default, the new appdomain should inherit its BaseDirectory
property from the creating domain and should be able to load
Microsoft.Scripting.dll. Is your exe and all the dlls in the same folder? If
not, can you try to put all assemblies in the same folder (or in the GAC) to
see if it works? If that works, you can then figure out how to configure the
new appdomain such that it can load Microsoft.Scripting.dll. There may be some
setting in AppDomainSetup, or you could hook the AssemblyResolve event…</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt">From:</span></b><span style="font-size:10.0pt">
<a href="mailto:users-bounces@lists.ironpython.com" target="_blank">users-bounces@lists.ironpython.com</a> [mailto:<a href="mailto:users-bounces@lists.ironpython.com" target="_blank">users-bounces@lists.ironpython.com</a>] <b>On
Behalf Of </b>Nicolás Buttarelli<br>
<b>Sent:</b> Tuesday, November 03, 2009 12:08 PM</span></p><div><div></div><div><br>
<b>To:</b> Discussion of IronPython<br>
<b>Subject:</b> Re: [IronPython] Safe execution of python scripts on my .net
application</div></div><p></p>
</div><div><div></div><div>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Hi again, thanks for your clear response.</p>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">I was trying to do what you proposed but it is not
working. I am receiving an exception:</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><i>Test method
CadworX3WCFRestTest.IronPython.SafeScriptExecutionTest.writingAFileTest threw
exception: System.Runtime.Serialization.SerializationException: Type is
not resolved for member
'Microsoft.Scripting.Hosting.ScriptRuntimeSetup,Microsoft.Scripting,
Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'..</i></p>
</div>
<div>
<p class="MsoNormal">I tried to find a solution but I couldn't. This is the
minimal code that I am running to get this exception (I have removed all the
security stuff but apparently that does not resolve the problem):</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<div>
<p class="MsoNormal"><i>AppDomain aSandboxedDomain =
AppDomain.CreateDomain("Sandboxed Domain");</i></p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"><i>ScriptEngine engine =
Python.CreateEngine(aSandboxedDomain);</i></p>
</div>
<div>
<p class="MsoNormal"><i>ScriptSource source =
engine.CreateScriptSourceFromString(pythonScript);</i></p>
</div>
<div>
<p class="MsoNormal"><i>SriptScope scope = engine.CreateScope();</i></p>
</div>
<div>
<p class="MsoNormal"><i>source.Execute(scope);</i></p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">The exception is thronged in this line: </p>
</div>
<div>
<p class="MsoNormal"><i>ScriptEngine engine = Python.CreateEngine(aSandboxedDomain);</i></p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Do you have any idea which could be the problem?</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Thanks again,</p>
</div>
<div>
<p class="MsoNormal">Nicolas</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">On Mon, Nov 2, 2009 at 10:25 PM, Dino Viehland <<a href="mailto:dinov@microsoft.com" target="_blank">dinov@microsoft.com</a>> wrote:</p>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">Assuming the app domain is setup
properly then there’s no way for the Python code to elevate permissions
(modulo CLR security bugs which are few and far between). This is because
IronPython its self is 100% security transparent and does not affect any
security decisions or assert any form of trust – so it’s all up to
the CLR to limit permissions. So for example while you can access the
file object, or import ctypes, or call various other Python APIs which would
require trust you’ll get a security exception from the CLR when you
don’t have permissions to do something.</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">For more complex scenarios you might
also have an object model which you expose to the application and inject in via
its scope. Once you’ve done that you’ll want to make sure
that the object model is also secure.</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt">From:</span></b><span style="font-size:10.0pt"> <a href="mailto:users-bounces@lists.ironpython.com" target="_blank">users-bounces@lists.ironpython.com</a>
[mailto:<a href="mailto:users-bounces@lists.ironpython.com" target="_blank">users-bounces@lists.ironpython.com</a>]
<b>On Behalf Of </b>Nicolás Buttarelli<br>
<b>Sent:</b> Monday, November 02, 2009 1:20 PM<br>
<b>To:</b> Discussion of IronPython<br>
<b>Subject:</b> Re: [IronPython] Safe execution of python scripts on my .net
application</span></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Thanks
for your response.</p>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">But
what happens with the python code? Does not exist a way to write some
scripts that can do some damage to my app, the server, the database, etc?</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Thanks
again,</p>
</div>
<div>
<p class="MsoNormal">Nicolas</p>
</div>
<div>
<p class="MsoNormal"> </p>
<div>
<p class="MsoNormal">On
Mon, Nov 2, 2009 at 9:41 PM, Dino Viehland <<a href="mailto:dinov@microsoft.com" target="_blank">dinov@microsoft.com</a>>
wrote:</p>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">After creating your app domain you can
do:</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">ScriptEngine engine =
Python.CreateEngine(someAppDomain);</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">And then the rest of your code should
work as it’s written.</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt">From:</span></b><span style="font-size:10.0pt"> <a href="mailto:users-bounces@lists.ironpython.com" target="_blank">users-bounces@lists.ironpython.com</a>
[mailto:<a href="mailto:users-bounces@lists.ironpython.com" target="_blank">users-bounces@lists.ironpython.com</a>]
<b>On Behalf Of </b>Nicolás Buttarelli<br>
<b>Sent:</b> Monday, November 02, 2009 12:39 PM<br>
<b>To:</b> <a href="mailto:users@lists.ironpython.com" target="_blank">users@lists.ironpython.com</a><br>
<b>Subject:</b> [IronPython] Safe execution of python scripts on my .net
application</span></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> </p>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt">Sorry, I don't know if my previous message have
arrived. So, here it is:</span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt"> </span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt"> </span></p>
</div>
<p class="MsoNormal"><span style="font-size:10.0pt">Hello all,</span></p>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt"> </span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt">I am starting with python and I would like to add to
my web application some web services. This services will allow the different
clients of my application to execute some python scripts. </span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt"> </span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt">I would like to know if someone did this before and
how can I do this in a secure way. I mean, how can I do to restrict the
environment where the scripts will be executed. </span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt"> </span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt">In .net I can do this using the AppDoman and setting
the permission set.</span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt"> </span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:#333333">AppDomain.CreateDomain( </span><span style="font-size:10.0pt;font-family:"Courier New";color:blue">string</span><span style="font-size:10.0pt;font-family:"Courier New";color:#333333"> friendlyName,<br>
Evidence
securityInfo,<br>
AppDomainSetup
info,<br>
PermissionSet
grantSet,<br>
</span><span style="font-size:10.0pt;font-family:"Courier New";color:blue">params</span><span style="font-size:10.0pt;font-family:"Courier New";color:#333333"> StrongName[]
fullTrustAssemblies);</span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt"> </span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt"> </span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt">Is there a way to do the same with my python
scripts? </span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt"> </span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt">I am running them using this:</span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt"> </span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt">ScriptEngine engine = Python.CreateEngine();</span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt">ScriptSource source =
engine.CreateScriptSourceFromString(scriptAsString);</span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt">ScriptScope scope = engine.CreateScope();</span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt">source.Execute(scope);</span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt"> </span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt">Thanks in advance.</span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt">Nicolas</span></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.ironpython.com" target="_blank">Users@lists.ironpython.com</a><br>
<a href="http://lists.ironpython.com/listinfo.cgi/users-ironpython.com" target="_blank">http://lists.ironpython.com/listinfo.cgi/users-ironpython.com</a></p>
</div>
<p class="MsoNormal"> </p>
</div>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.ironpython.com" target="_blank">Users@lists.ironpython.com</a><br>
<a href="http://lists.ironpython.com/listinfo.cgi/users-ironpython.com" target="_blank">http://lists.ironpython.com/listinfo.cgi/users-ironpython.com</a></p>
</div>
<p class="MsoNormal"> </p>
</div>
</div></div></div>
</div>
<br>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.ironpython.com" target="_blank">Users@lists.ironpython.com</a><br>
<a href="http://lists.ironpython.com/listinfo.cgi/users-ironpython.com" target="_blank">http://lists.ironpython.com/listinfo.cgi/users-ironpython.com</a><br>
<br></blockquote></div><br></div></div></div>
</blockquote></div><br></div>