I'm currently working on an asp.net application for someone that has the ability to automatically load .net assembly files at the start of the application's runtime and allow the user to add new assemblies on the fly.
I'm planning to make a page that allows the authorized user to manually load and view information about the assembly such as referenced assemblies as well as namespaces and classes contained within. If the user accesses this information and deems it 'safe', the assembly will be added to a list of assemblies to be loaded and processed along with the others at the application's start. After the application adds the assembly to the trusted list then the application will process the assembly's contents.
What I need to know is whether or not one would say its 'safe' to just outright load the assembly to acquire this information if no classes are being activated/instantiated. If not, what resources would be best for this approach of assessing an assembly's threat.
If you are looking for doing it more securely, you could start a new AppDomain and load the assembly from there, or even easier, you could load the assembly in reflection-only mode, like
http://msdn.microsoft.com/en-us/library/system.reflection.assembly.reflectiononlyloadfrom.aspx
About what threat a random assembly might pose to a web app, it is no light matter and you shouldn't blindly trust assemblies from third parties. For example, an assembly might contain a method marked with the prestart attribute and do foul things before your application starts. It also may be harmfully written to contain the same namespaces and class names as others, so that unsuspectedly written reflection code might pick up classes from the malicious assembly rather than another. There are many reasons why you wouldn't want to load just anyone's assemblies into your app.