Eval is not Evil

While working through the ASP.NET security reference implementation (which is good work btw), the following guideline caught my attention:

Additionally, all calls to DataBinder.Eval() have been removed. While Eval is sometimes safe to use on purely static data, it is best to avoid it completely as it has the potential to allow an attacker to execute arbitrary code on the host server.

That sounded a bit vague to me and a look at the source also didn’t show anything specifically dangerous. I then double checked with the ASP.NET Team (specifically Stefan Schackow who is always very helpful and a great source of ASP.NET security knowledge), and they confirmed that there is no such problem with Eval.

Eval indeed supports an expression syntax (e.g. Company.Offices[0]) that allows to navigate through object hierarchies (using reflection against public properties only) and of course it may lead to unexpected results if you blindly pipe external input into Eval. I guess that’s what is meant in the guideline.

But IMO the general input validation rules apply here. Also no sign of “executing arbitrary code” on the server.

The 99.9% use case of Eval is static input anyways:

<%# Eval(“FirstName”) %>

I have already seen blogs that multiply this information – so for now:

Eval is not Evil (until proven otherwise)


This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s