ThatSoftwareDude
Building the web since 2008

Menu

Newsletter

Resources

Contact

Popular tags

#.NET
#5 minute guide
#AI
#Android
#API
#Artificial Intelligence
#ASP.NET
#Bootcamps
#Business
#C#
#Career
#ChatGPT
#Coding
#Computer Science
#CSS
#CSS3
#Database
#ES6
#Gadgets
#Game Development
#Guide
#Hardware
#HTML5
#Interviews
#IT
#Javascript
#Javascript
#Learning to code
#Module
#Performance
#Productivity
#Programming
#React
#Security
#SQL
#Startup
#Surface
#Web Design
#Web Development
#Windows

How to Safely Execute Dynamic C# Code at Runtime Using Roslyn

Executing dynamic C# code at runtime can be powerful but also comes with security and performance risks. Microsoft’s Roslyn compiler provides a way to compile and execute C# code dynamically while offering safety mechanisms.

This guide walks through how to use Roslyn to safely evaluate and run C# code at runtime.

Why Use Roslyn for Dynamic Code Execution?

Roslyn enables runtime compilation of C# code, making it useful for:

  • Scripting engines within applications.
  • Plugins and extensibility without recompiling the main application.
  • Interactive debugging and testing scenarios.
  • Custom formula evaluations in applications like rule engines.

Step 1: Install Roslyn Dependencies

To use Roslyn for dynamic execution, install the necessary NuGet packages:

Install-Package Microsoft.CodeAnalysis.CSharp.Scripting
Install-Package Microsoft.CodeAnalysis.Scripting

Step 2: Basic Execution of Dynamic Code

A simple way to execute dynamic C# code using Roslyn:

using System;
using System.Threading.Tasks;
using Microsoft.CodeAnalysis.CSharp.Scripting;
using Microsoft.CodeAnalysis.Scripting;

class Program
{
    static async Task Main()
    {
        string code = "1 + 2";
        var result = await CSharpScript.EvaluateAsync<int>(code);
        Console.WriteLine("Result: " + result);
    }
}

Step 3: Providing Context for Execution

To allow dynamic scripts to use variables and functions from your main program, use a custom script state:

class ScriptGlobals
{
    public int X { get; set; } = 10;
}

var options = ScriptOptions.Default.AddReferences(typeof(ScriptGlobals).Assembly);
string code = "X * 2";
var result = await CSharpScript.EvaluateAsync<int>(code, options, new ScriptGlobals());
Console.WriteLine(result); // Output: 20

Step 4: Handling Exceptions in Dynamic Code

Since executing untrusted code can lead to runtime errors, wrap execution in try-catch:

try
{
    string invalidCode = "int x = 1 / 0;";
    await CSharpScript.EvaluateAsync(invalidCode);
}
catch (CompilationErrorException ex)
{
    Console.WriteLine("Compilation Error: " + string.Join("\n", ex.Diagnostics));
}
catch (Exception ex)
{
    Console.WriteLine("Runtime Error: " + ex.Message);
}

Step 5: Security Considerations

Executing user-provided code can be risky. Follow these best practices:

1. Use a Restricted Execution Context

Limit the namespaces and APIs available to the script:

var options = ScriptOptions.Default
    .AddReferences(typeof(object).Assembly) // Only essential assemblies
    .WithImports("System"); // Restrict available namespaces

2. Limit Execution Time

Run code in a separate thread with a timeout:

using System.Threading;
using System.Threading.Tasks;

var cts = new CancellationTokenSource(TimeSpan.FromSeconds(2));
try
{
    var task = CSharpScript.EvaluateAsync("while(true) {}", cancellationToken: cts.Token);
    await task;
}
catch (OperationCanceledException)
{
    Console.WriteLine("Execution Timed Out");
}

3. Use AppDomain Sandboxing (For Older .NET Versions)

In older .NET Framework applications, AppDomains can be used to isolate script execution. However, .NET Core and later versions no longer support AppDomains.

Step 6: Running More Complex Scripts with State

For multi-line scripts, use RunAsync instead of EvaluateAsync:

string script = @"
int Multiply(int a, int b) => a * b;
return Multiply(3, 4);
";
var result = await CSharpScript.RunAsync(script);
Console.WriteLine(result.ReturnValue); // Output: 12

Conclusion

Roslyn provides a powerful way to execute C# code dynamically while maintaining security and control. By following best practices such as limiting execution scope, handling errors, and enforcing timeouts, you can safely integrate dynamic scripting into your applications without exposing them to excessive risk.

0
22
C#

Related

Raw string literals in C# provide a flexible way to work with multiline strings, with some interesting rules around how quotes work.

The key insight is that you can use any number of double quotes (three or more) to delimit your string, as long as the opening and closing sequences have the same number of quotes.

The Basic Rules

  1. You must use at least three double quotes (""") to start and end a raw string literal
  2. The opening and closing quotes must have the same count
  3. The closing quotes must be on their own line for proper indentation
  4. If your string content contains a sequence of double quotes, you need to use more quotes in your delimiter than the longest sequence in your content

Examples with Different Quote Counts

// Three quotes - most common usage
string basic = """
    This is a basic
    multiline string
    """;

// Four quotes - when your content has three quotes
string withThreeQuotes = """"
    Here's some text with """quoted""" content
    """";

// Five quotes - when your content has four quotes
string withFourQuotes = """""
    Here's text with """"nested"""" quotes
    """"";

// Six quotes - for even more complex scenarios
string withFiveQuotes = """"""
    Look at these """""nested""""" quotes!
    """""";

The N+1 Rule

The general rule is that if your string content contains N consecutive double quotes, you need to wrap the entire string with at least N+1 quotes. This ensures the compiler can properly distinguish between your content and the string's delimiters.

// Example demonstrating the N+1 rule
string example1 = """
    No quotes inside
    """; // 3 quotes is fine

string example2 = """"
    Contains """three quotes"""
    """"; // Needs 4 quotes (3+1)

string example3 = """""
    Has """"four quotes""""
    """""; // Needs 5 quotes (4+1)

Practical Tips

  • Start with three quotes (""") as your default
  • Only increase the quote count when you actually need to embed quote sequences in your content
  • The closing quotes must be on their own line and should line up with the indentation you want
  • Any whitespace to the left of the closing quotes defines the baseline indentation
// Indentation example
string properlyIndented = """
    {
        "property": "value",
        "nested": {
            "deeper": "content"
        }
    }
    """; // This line's position determines the indentation

This flexibility with quote counts makes raw string literals extremely versatile, especially when dealing with content that itself contains quotes, like JSON, XML, or other structured text formats.

0
68
c#

Storing passwords as plain text is dangerous. Instead, you should hash them using a strong, slow hashing algorithm like BCrypt, which includes built-in salting and resistance to brute-force attacks.

Step 1: Install BCrypt NuGet Package

Before using BCrypt, install the BCrypt.Net-Next package:

dotnet add package BCrypt.Net-Next

or via NuGet Package Manager:

Install-Package BCrypt.Net-Next

Step 2: Hash a Password

Use BCrypt.HashPassword() to securely hash a password before storing it:

using BCrypt.Net;

string password = "mySecurePassword123";
string hashedPassword = BCrypt.HashPassword(password);

Console.WriteLine(hashedPassword); // Output: $2a$12$...

Step 3: Verify a Password

To check a user's login attempt, use BCrypt.Verify():

bool isMatch = BCrypt.Verify("mySecurePassword123", hashedPassword);
Console.WriteLine(isMatch); // Output: True

Ensuring proper hashing should be at the top of your list when it comes to building authentication systems.

0
174
c#
security
cryptography

String interpolation, introduced in C# 6.0, provides a more readable and concise way to format strings compared to traditional concatenation (+) or string.Format(). Instead of manually inserting variables or placeholders, you can use the $ symbol before a string to directly embed expressions inside brackets.

string name = "Walt";
string job = 'Software Engineer';

string message = $"Hello, my name is {name} and I am a {job}";
Console.WriteLine(message);

This would produce the final output of:

Hello, my name is Walt and I am a Software Engineer

String interpolation can also be chained together into a multiline string (@) for even cleaner more concise results:

string name = "Walt";
string html = $@"
    <div>
        <h1>Welcome, {name}!</h1>
    </div>";
11
90
c#

Popular Questions

How To Count on Distinct Column Values In SQL Server
0
94
sql
How to Hash Passwords in C# Using BCrypt for Enhanced Security
0
174
c#
security
cryptography
How to Write XML Files in C#
0
52
c#
How do Raw String Literals Work in C#
0
68
c#
How to Read a File Line by Line in C#?
2
179
c#
How to Detect and Remove Duplicate Records in SQL Server
0
18
sql
How to Only Read the First N Lines of a File in C#
0
37
c#
How to Use File-Scoped Namespaces in C# for Cleaner Code
0
87
c#
How to Use Lazy Loading in React for Faster Performance
0
72
React
How to Properly Close a SqlDataReader in C#?
0
71
c#