C#•2y ago

Safe Plugin Loader - Forbid specific namespaces (and reflection usage)?

Im trying to wire a plugin loader where people can extend the application with custom plugins. To ensure people cannot do evil things in their plugin, i want to explicitly whitelist namespaces people can use. If anything forbidden is used in a plugin .dll, i want to reject loading it.

The loading and unloading part is the easiest thing, but what about the namespace restrictions? Anyone has any idea how i can do that? Also i need to forbid the usage of .GetType or typeof() to get around reflection usage. My idea would be by either hand-parse the .dll, somehow find all namespace or function references, and evaluate this manualy as im unaware of any other method. But maybe there is?

Jimmacle•12/21/23, 8:40 AM

if you want any level of control you cannot use precompiled code

Jimmacle•12/21/23, 8:42 AM

you'd be better off building a system that compiles plugins from source and uses roslyn to analyze the syntax beforehand

IceReaperOP•12/21/23, 8:44 AM

Hm.. thats also an interesting approach, but i guess shipping the whole toolchain to build project requires users - in this case gamers, as the plugins are for enhancing the game with custom mechanics - to have an sdk installed?

Jimmacle•12/21/23, 8:45 AM

no, you only need to add a dependency on the relevant packages

Jimmacle•12/21/23, 8:46 AM

space engineers is an example of a game that does this

IceReaperOP•12/21/23, 8:46 AM

Oh, thats great to know

That defenitely sounds better then manualy parsing or using a decompiler

Jimmacle•12/21/23, 8:50 AM

you could also consider a hybrid approach where you host a plugin website that devs submit source to and the analysis/compilation happens there

Jimmacle•12/21/23, 8:51 AM

but then the security isn't actually built into the game

IceReaperOP•12/21/23, 8:52 AM

Im building a framework for some games, not a specific game. so where the mods are located would be configurable by the one using the framework

IceReaperOP•12/21/23, 8:53 AM

Ill just ensure the mod uses only allowed system namespaces, as for lists, dictionaries etc along the game api dll and no reflections

Jimmacle•12/21/23, 9:06 AM

you may want to think about more granular control as well

Jimmacle•12/21/23, 9:06 AM

as in whitelisting by type or even member

Jimmacle•12/21/23, 9:07 AM

which would be doable with roslyn

Anchy•12/21/23, 9:09 AM

umod is a c# modding api that has restricted namespaces, you distribute the source files and the api handles compilation like Jimmacle said

Anchy•12/21/23, 9:09 AM

maybe worth looking at

Anchy•12/21/23, 9:09 AM

I believe it's popular in the Rust (game) community

Jimmacle•12/21/23, 9:10 AM

it started there afaik, used to be called oxide (because rust)

Anchy•12/21/23, 9:10 AM

correct, I remember oxide

Jimmacle•12/21/23, 9:24 AM

also, another benefit of doing it the roslyn way is being able to publish those analyzers as a nuget package so plugin devs can use them to get identical errors in their IDE if they try to use something that isn't allowed

IIceReaper Im trying to wire a plugin loader where people can extend the application with c...

Aaron•12/21/23, 9:25 AM

use a language designed around embedding

Aaron•12/21/23, 9:26 AM

lua, for example

Aaron•12/21/23, 9:26 AM

C# isn't designed for it, and attempts to do this, even ones built into the runtime itself (like CAS) always have issues

Jimmacle•12/21/23, 9:26 AM

also that

Jimmacle•12/21/23, 9:27 AM

once you've loaded and executed a plugin there's no real way to unload it

Aaron•12/21/23, 9:27 AM

and if this is for game modding (like you said a moment ago) locking things down just pushes the people who actually want to use those things for something to a different mod loader with less restrictions

Aaron•12/21/23, 9:28 AM

most unity modloaders these days have none whatsoever, with umod being the only notable exception? though it isn't really used often compared to BepInEx or Melonloader

Jimmacle•12/21/23, 9:29 AM

whitelisting makes more sense if it's your game and you want to support modding in a safer way

Jimmacle•12/21/23, 9:30 AM

see: space engineers and the fact that i built an unrestricted plugin loader to get around it KEKW

Aaron•12/21/23, 9:30 AM

if it's your own game, then like I said, use something made for it

Aaron•12/21/23, 9:30 AM

instead of hacking C# to do what you want

Aaron•12/21/23, 9:31 AM

having C# but it's actually a pseudo C# where you can't use most of the APIs because you never thought about the case where somebody would want it will just annoy people that know what C# normally has

IceReaperOP•12/21/23, 11:32 AM

I managed to build a solution in a single c# class which uses roslyn now. So mods have to ship the code sources. I scan the source code, check used types and functionality, verify it against a whitelist, compile the assembly in memory, and load it dynamically. works

thanks for the hint about using roslyn