I am developing a commercial VB.net WPF application that needs user generated scripts for controlling the application to be shared between users. The best way that I have come across of accomplishing this so far without writing my own parser is using the Microsoft Script Control.
It would appear that both VBScripts and JScripts run through this control have access to wscript and as a result are too powerful to be shared between programmers and non-technical users for obvious security reasons.
I have considered trying to filter out dangerous scripts with some kind of regex parsing or something but that just seems far too risky and easy to circumvent.
So, is there some way of using this control but blocking its access to the system so that it could be used for controlling only the objects that I give it? If not, could someone recommend a better way of doing this?
I do not particularly mind what language the script would be in at this stage, although having multiple options would be nice.
EDIT: I am basing my conclusion that the control is too powerful for this on the fact that the following JScript code successfully launches notepad when called using the .AddCode and .Run methods of the control.
function test(){
var shell = new ActiveXObject("WScript.shell");
shell.run("notepad.exe", 1);
}
Thanks for all the help,
Sam.
If you just need to kill the ActiveXObject feature which is the entry point to the system, you can silently append some lines to the code you give to the Script Control, like this for example:
Of course, if you still need to give some functions to your users, you will then need to propose some sort of an API, use the AddObject function (see How To Use the AddObject Method of the Script Control), and the user would use it like this:
PS: WScript is a, ActiveX Scripting host, so it’s not accessible from the Script Control.
PS2: This hack does not work in every Script Control underlying languages. It works in JavaScript, but not in VBScript for example.