In this article, we want to once again remind you about the risks associated with executing compiled scripts in reports, and consequently, the risks of attacks when loading reports or dashboards.
The point is that if the report calculation mode is set to Compilation, then when it’s opened in the web viewer there is a possibility to execute embedded code. This code can be compiled and executed on the server, which in turn potentially opens the door to remote execution of unsafe code. By the way, we reviewed the protection layers when opening a report with compilation in the report designer in this article.Please note!
Stimulsoft doesn’t contain built-in vulnerabilities that could be exploited without the participation of the application developer. Such a threat appears only under a specific project configuration, in particular, when the calculation mode is set to Compilation and user reports are allowed to be uploaded without prior validation of their content.
C#
We don’t recommend using Compilation mode if:
Stimulsoft provides broad capabilities for data visualization, including the use of scripts and logic inside reports and dashboards. However, when enabling advanced features (such as Compilation mode), the responsibility for restricting user input and isolating the execution environment rests with the application developers themselves. If you have any doubts or need advice, please contact our technical support directly.
Stimulsoft doesn’t contain built-in vulnerabilities that could be exploited without the participation of the application developer. Such a threat appears only under a specific project configuration, in particular, when the calculation mode is set to Compilation and user reports are allowed to be uploaded without prior validation of their content.
Protection recommendations
To minimize risks, we recommend the following steps:- Disable compilation mode
The report calculation mode Compilation should be used only when necessary and only in a trusted environment. In most scenarios, we recommend using the Interpretation mode, which doesn’t compile code on the fly and eliminates the possibility of RCE (Remote Code Execution). You can change the calculation mode in a report using the template property in the report designer or in application code for all reports:
Additionally, by using the global Viewer component option, you can disable loading reports in Compilation mode:report.CalculationMode == StiCalculationMode.InterpretationStiOptions.Viewer.AllowOpenDocumentWithCompilation = false; - Using scripts in interpretation
In release 2025.3 of the report generator for .NET and .NET Framework platforms, support has been added for executing CSharp scripts in Interpretation mode. In a script, you can use report variables, data columns, functions, including user-defined functions, as well as basic CSharp constructs such as if, else, the ternary operator, and loops. Scripts can be executed in events, user functions, and report expressions. Script execution can be disabled via the report property Allow Scripts To Run. For embedded Stimulsoft components, there is a global optionStiOptions.Engine.AllowScriptsToRunto enable or disable script execution in Interpretation mode.
In this case, the functionality is sufficient for most tasks and at the same time practically safe, since there is no possibility to harm the system or run malicious code. - Filtering incoming data
If your application allows users to upload reports, make sure that:- The uploaded file is validated (for example, XML/JSON analysis for prohibited content);
- Execution of user code is disabled;
- Uploaded reports are stored and processed only in an isolated environment;
- The current system user is granted only the necessary file and data access rights.
Client-Side action interception
As a temporary solution, you can use code to intercept the actions of viewer controls such as Open, thereby blocking the loading of potentially harmful files.C#
...
<body>
<form id="form1" runat="server">
<cc2:StiWebViewer runat="server" ID="StiWebViewer1" OnGetReport="StiWebViewer1_GetReport" />
</form>
<script>
jsStiWebViewer1.onready = function () {
jsStiWebViewer1.postAction_ = jsStiWebViewer1.postAction;
jsStiWebViewer1.postAction = function (action, bookmarkPage, bookmarkAnchor, componentGuid) {
if (action == "Open" || action == "OpenDashboard") {
//Write your code here for the "Open"
return;
}
jsStiWebViewer1.postAction_(action, bookmarkPage, bookmarkAnchor, componentGuid);
}
}
</script>
</body>
......
let viewer = new Stimulsoft.Viewer.StiViewer(viewerOptions, "StiViewer", false);
viewer.renderHtml("content");
viewer.jsObject.postAction_ = viewer.jsObject.postAction;
viewer.jsObject.postAction = function (action, bookmarkPage, bookmarkAnchor, componentGuid) {
if (action === "Open" || action === "OpenDashboard") {
//Write your code here for the "Open"
return;
}
viewer.jsObject.postAction_(action, bookmarkPage, bookmarkAnchor, componentGuid);
}
...Once again, we emphasize:
- Stimulsoft products don’t contain any known built-in vulnerabilities that could be exploited without the application developer’s involvement;
- Application security depends on the context of use and runtime environment configuration;
- The ability to execute programming language code in reports is provided as functionality, not as mandatory behavior. We provide flexible configuration options: from strict interpretation without code to a fully compilable environment.
We don’t recommend using Compilation mode if:
- You are not sure why you need it, or you are not using the functionality it provides;
- Users are allowed to upload their own reports;
- There is no additional filtering or execution environment isolation.
Stimulsoft provides broad capabilities for data visualization, including the use of scripts and logic inside reports and dashboards. However, when enabling advanced features (such as Compilation mode), the responsibility for restricting user input and isolating the execution environment rests with the application developers themselves. If you have any doubts or need advice, please contact our technical support directly.