C# Source Generators

A week ago Microsoft released a preview of a new compiler feature called C# Source Generators. This feature allows to inspect existing source-code and generate additional C# source files that will be added to the compiled output. One of the goals is to use this in order to remove the need for any (slower) dynamic runtime behavior that rely on reflection. There are also benefits from security perspective that can be added to that list, let’s look into that a bit further!

Source Generator

When a Source Generator is added to a .NET Core project it will be executed when the project is being build. It has the ability to inspect the programs source artifacts and create additional files that will be added to the output. The concept is also called Compile Time Metaprogramming as explained in the design document. Source Generators have a strong relationship with existing Roslyn Analyzers that allow you to inspect both syntax and the semantic models of the compilation.

Application Parts in ASP.NET Core MVC

When you create an ASP.NET Core MVC application and add new functionality with either implementations of Controllers and Views or Razor Pages it all just works when you start it. One key element in making all of this possible is a component called the ApplicationPartsManager. This manager will contain a list of FeatureProviders that will dynamically populate the needed content for e.g. Razor Pages, Controllers, TagHelpers and Views. Read the Share controllers, views, Razor Pages and more with Application Parts article in the Microsoft documentation for more details on how it works.

What is exposed by ASP.NET Core MVC?

The whole way of automagically resolving the content can be really helpful when developing. One big downside is the fact that there is a risk of exposing more than intended. From the main MVC project (the one that constructs the host builder), any referenced project or added package that also reference the Microsoft.AspNetCore.Mvc package will automatically be scanned for controllers. The class needs to match a naming convention that ends with ...Controller (including inheritance) or is annotated with the Microsoft.AspNetCore.Mvc.ControllerAttribute. Each identified controller will then have all it’s public methods exposed and keep in mind that any used third-party package has the ability to do exactly the same. It is not unseen that packages get compromised (there are a lot of ways!) by people who have got other and/or bad intentions. Of course it’s possible to determine a list of exposed controllers at runtime but I think it’s better to have more control (e.g. whitelist of allowed ones) from the start, and earliest possible will of course be at compile time.

Determine exposed controllers at compile time

A bit more than a year ago David Fowler shared a tweet in which he explained that one of the design goals of ASP.NET Core was to remove the scanning of assemblies at start up to find things that are exposed. And that is exactly what the new compiler feature of C# Source Generators will bring to ASP.NET Core MVC. Currently the samples show some basic scenario’s on how it can be used, I’m really looking forward on seeing an implementation of it in the ASP.NET Core MVC packages. An additional benefit of all of this is that from static analysis perspective there will be less need to understand what happens at runtime when resolving controllers dynamically, because it’s all just part of the compiled assembly.

Hello Blog!

Welcome to the first post on my blog, with definitely a lot more to follow! I’ve been thinking about doing this for a while and realized that this is the right moment to start one. Over the last years I’ve done a lot of speaking on various topics and with this blog I’m going to take it a bit further with sharing more content more frequently.

What will I write about? Because I work as a security researcher for Veracode and as the subtitle of the blog indicates, it will mostly be about application/software security and .NET. But definitely won’t mean it will be exclusively about that. Lately I’ve been playing around with Rust and really enjoying it. Same counts for all things happening around WebAssembly, which of course is not only limited to Blazor. Want to know more about me and my background? I suggest to read the About Me page for that.

Hope to see you back soon! You can always start following me on Twitter @nielstanis where I’ll also share if there is new content available. And on the page about Speaking you can find links to the content of the talks I’ve given in the past.