Obsolete 'Restricted' Script Execution Mode
- 6 minutes to read
Important
This script execution mode is now obsolete. We recommend that you enable the Deny mode and try to use expression bindings instead. If you fully trust you reports, you can use the Unrestricted mode. See Scripts - Security Considerations for more information.
Specify Script Permissions
To enable the Restricted mode at your own risk, register a ScriptPermissionManager class instance at application startup as shown below.
This code registers the Internet Zone Evidence and apply the following default permissions:
- AspNetHostingPermission
- DnsPermission
- IsolatedStorageFilePermission
- PrintingPermission
- SmtpPermission
- UIPermission
Important
To apply restrictions, you are required to enable the CAS policy option in the application’s configuration file. Otherwise, an attempt to execute a report script under the Restricted mode will cause an exception.
To run scripts in Restricted mode with only specific actions allowed, define an Evidence (e.g., with the Zone set to MyComputer) and assign it to your custom ScriptPermissionManager.
Important
Each security zone has a specific set of associated permissions. When selecting a zone, please make sure that it applies appropriate permissions. For more information, review the following topic: Default Security Policy.
For example, the following code defines custom script permissions.
using DevExpress.XtraReports.Security;
using System.Security;
using System.Security.Permissions;
using System.Security.Policy;
// ...
static void Main() {
// Define new Evidence with the specified SecurityZone.
var evidence = new Evidence(new EvidenceBase[] { new Zone(System.Security.SecurityZone.MyComputer) }, new EvidenceBase[] { });
// Define specific permissions to be restricted for the specified Evidence.
FileIOPermission filePermission = new FileIOPermission(PermissionState.Unrestricted);
// Restrict specific permissions based on your requirements.
var restrictPermissions = new IPermission[] {
// Uncommenting the following line will cause a security exception on an attempt to access the file system by report scripts.
// filePermission,
};
// Assign a script permission manager instance with the specified script execution mode, evidence and restrictions.
ScriptPermissionManager.GlobalInstance = new ScriptPermissionManager((ExecutionMode)2, evidence, restrictPermissions);
// ...
}
As a result of applying a FileIOPermission, the execution of the following report script becomes permitted.
using System.IO;
// ...
private void XtraReport_BeforePrint(object sender, System.ComponentModel.EventArgs e) {
FileStream fs = File.Create(@"C:\Temp\test.txt");
fs.Close();
}
The execution of the above script will be attempted on previewing the report, as well as on exporting it to any of the supported third-party formats.
using DevExpress.XtraReports.UI;
// ...
private void button1_Click(object sender, System.EventArgs e) {
XtraReport report = new XtraReport();
report.LoadLayoutFromXml(@"..\..\report.xml");
report.ExportToPdf("report.pdf");
}
Enable the Code Access Security Policy
Starting with .NET Framework version 4, script restrictions are applied only if the code access security (CAS) policy is enabled in the application. This policy is disabled by default and to determine permissions granted to the code, this policy must be explicitly enabled in the application’s configuration file.
web.config
<configuration>
<system.web>
<trust level="Full" legacyCasModel="true"/>
</system.web>
</configuration>
app.config
<configuration>
<runtime>
<NetFx40_LegacySecurityPolicy enabled="true" />
</runtime>
</configuration>
Important
This policy is required only for the Restricted script execution mode.
You are not required to enable this policy if your web application does not provide an End-User Report Designer (or if it does, only trusted third-parties are enabled to use the Designer).
If your application does not implement this policy, an attempt to execute a report script under the Restricted mode will cause an exception.
ASP.NET MVC Specifics
In ASP.NET MVC applications, adding the <trust level=”Full” legacyCasModel=”true”/> section to a configuration file to enable the execution of report scripts under the specified restrictions may result in the following exception: “Dynamic operations can only be performed in homogenous AppDomain”. This is a result of a restricted support for dynamic operations in ASP.NET MVC 4+ applications when legacy code access security is enabled.
As a workaround, you can move the report execution to a separate web application where legacy code access security (CAS) is enabled and restrictions for the report scripts are specified. Then, you can disable the legacy CAS in your main ASP.NET MVC application, so that all report scripts will be executed in a separate web application where the restrictions are enabled.
To implement this approach, consider the following.
- You can configure authentication to allow only authenticated users to access your backend. To do that, use the AuthorizeAttribute in the web document viewer controller’s code.
Deny access to DevExpress HTTP handlers that are used by our Reporting components in the main application’s configuration file.
<system.web> ... <authorization> <deny verbs="DXXRD.axd" users="*" /> <deny verbs="DXXRDV.axd" users="*" /> </authorization> </system.web>
To deny the execution of these handlers on the backend, set their SessionState to the SessionStateBehavior.Required mode.
protected void Application_Start(object sender, System.EventArgs e) { DevExpress.XtraReports.Web.WebDocumentViewer.Native.WebDocumentViewerBootstrapper.SessionState = System.Web.SessionState.SessionStateBehavior.Required; DevExpress.XtraReports.Web.ReportDesigner.Native.ReportDesignerBootstrapper.SessionState = System.Web.SessionState.SessionStateBehavior.Required; }
Please consider the following issues that are specific to DevExpress Reporting extensions.
Web Report Designer |
|
HTML5 Document Viewer |
|