/// <summary> /// Gets the allow list scanner used to detect client-side only constructs that should not be run on the service. /// </summary> /// <returns>Allow list scanner used to detect client-side only constructs that should not be run on the service.</returns> private static AllowListScanner GetAllowListScanner() { // The following is a declarative table of allowed constructs whose expression tree representation can be // sent to the service for remote execution. This also allows to detect user code, such as reads from local // fields, which end up in the expression tree representation of a query or a define operation. Use this // table with EXTREME caution! In particular, only allowed BCL functionality should be added here. Under no // circumstance whatsoever should this table contain reactive interfaces, query operators, and whatnot. If // such a need is suspected, something else is wrong higher up the expression rewrite stack. While the use // of the allow list scanner will throw exceptions for invalid constructs encountered, the fix is (almost) // never to extend the table. var allowListScanner = new AllowListScanner() { // Allowing use of all members on the following types: DeclaringTypes = { typeof(Math), typeof(TimeSpan), typeof(JObject), typeof(JProperty), typeof(Enumerable), typeof(Queryable), typeof(KeyValuePair <,>), typeof(Tuple <>), typeof(Tuple <, >), typeof(Tuple <, , >), typeof(Tuple <, , , >), typeof(Tuple <, , , , >), typeof(Tuple <, , , , , >), typeof(Tuple <, , , , , , >), typeof(Tuple <, , , , , , , >), }, // Allowing use of the following members: Members = { ReflectionHelpers.InfoOf(() => Environment.MachineName),// used for diagnostics // Enable new JObject(new JProperty(...), new JProperty(...)).ToString() typeof(object).GetMethod("ToString", Type.EmptyTypes), }, }; // Allowing use of the following specific members: foreach (var memberInfo in MemberAllowList) { allowListScanner.Members.Add(memberInfo); } return(allowListScanner); }
/// <summary> /// Initializes a new instance of the <see cref="ExpressionServices"/> class. /// </summary> public ExpressionServices(Type reactiveClientInterfaceType) : base(reactiveClientInterfaceType) { // TODO - Allow list should also be added to the service, to protect the service against malformed expressions. _allowlistScanner = GetAllowListScanner(); }