While working through the ASP.NET security reference implementation (which is good work btw), the following guideline caught my attention:
“Additionally, all calls to DataBinder.Eval() have been removed. While Eval is sometimes safe to use on purely static data, it is best to avoid it completely as it has the potential to allow an attacker to execute arbitrary code on the host server.“
That sounded a bit vague to me and a look at the source also didn’t show anything specifically dangerous. I then double checked with the ASP.NET Team (specifically Stefan Schackow who is always very helpful and a great source of ASP.NET security knowledge), and they confirmed that there is no such problem with Eval.
Eval indeed supports an expression syntax (e.g. Company.Offices) that allows to navigate through object hierarchies (using reflection against public properties only) and of course it may lead to unexpected results if you blindly pipe external input into Eval. I guess that’s what is meant in the guideline.
But IMO the general input validation rules apply here. Also no sign of “executing arbitrary code” on the server.
The 99.9% use case of Eval is static input anyways:
<%# Eval(“FirstName”) %>
I have already seen blogs that multiply this information – so for now:
Eval is not Evil (until proven otherwise)