I have mail-merge like functionality, which takes a template, some business object, and produces html which is then made into PDF.
I'm using RazorEngine to do the template+model to html bit.
If I let the users specify the templates, what risks am I taking? Is it possible to mitigate any risks?
For example, could the users execute arbitrary code? (delete files, alter database, etc.?) Is there some way I can detect this sort of thing? (I know that would be impossible generally, but the bits of code in the razor template should be model property gets, or possibly if statements based on model property values).
I do basically trust the users here (it's a small private project), but as templating engines go, this one seems excessively powerful for this application.
A cshtml Razor file is able to execute any. NET code in the context of the site so yes, it is a security risk to permit them to be supplied by users.
You would be better served by accepting a more general HTML template, with custom tokens to input Model data.