Security Considerations in Windows Forms
- 4 minutes to read
Data Connection Security
The DashboardDesigner and DashboardViewer can use different data source types to supply dashboards with data. Users can create data sources based on predefined data connections in the UI, or you can add predefined data sources in code. You should specify connection parameters to get data from certain data sources. For example, DashboardSqlDataSource and DashboardOlapDataSource can require a user name and password. To avoid data leaks, use one of the following techniques to pass connection parameters safely:
Add the connection string to the connectionStrings section in the application’s configuration file when you work in a development environment.
Data Source Security
SQL Data Source
Validate Custom SQL Queries
The Data Source Wizard allows users to construct SQL queries only in the built-in Query Builder. Queries constructed in the Query Builder are guaranteed to be safe because they can contain only a SELECT statement.
Users cannot edit SQL queries in the Query Builder (the default setting). Refer to the following article for information on how to enable users to edit SQL Queries in the UI: Custom SQL Queries.
Custom SQL queries are validated before their execution. Please make sure to apply a secure SQL validation that prevents harmful request execution: SQL validation.
We recommend that you utilize the access control functionality of your database management system to achieve the highest level of database security.
Do Not Serialize Sensitive Info
You can set the DataConnectionBase.StoreConnectionNameOnly property to
true to serialize only database connection names. This guarantees that the database credentials are never exposed in dashboard definitions.
The initial value of the
DataConnectionBase.StoreConnectionNameOnly property is
false. When this property is disabled, the behavior depends on the SqlWizardSettings.DatabaseCredentialsSavingBehavior and IConnectionStorageService.CanSaveConnection property values.
Entity Framework Data Source - Restrict Access to Unauthorized Assemblies
You cannot load custom assemblies that can be referenced by Entity Framework data sources (DashboardEFDataSource) (the default setting).
To permit a user to load a specific assembly, handle the DashboardDesigner.CustomAssemblyLoading / DashboardViewer.CustomAssemblyLoading events. An unauthorized attempt to load a custom assembly results in a CustomAssemblyLoadingProhibitedException.
Excel, Extract, and JSON Data Sources - Restrict Access to External Data Resources
You can read files from any directory by default. To protect your application, use the AccessSettings class to explicitly specify where data sources can be read from. To accomplish this, configure rules in the DataResources property to restrict file system access to specified folders. You can call the SetRules(IAccessRule) method when your application starts to specify rules before a dashboard control sets its rules. The
SetRules(IAccessRule) method can be called only once at application startup. Otherwise, the method will raise an exception. Alternatively, you can use the TrySetRules(IAccessRule) method, which does not raise an exception.
Object Data Source - Validate Data
If a user opens the dashboard that contains the DashboardObjectDataSource, the following message appears before a data load operation:
This dialog allows users to select whether to trust the object data sources available in the application. You can use the DataSourceOptionsContainer.ObjectDataSourceLoadingBehavior property to change this default logic. For instance, you can allow the application to load any object data sources, or you can load object data sources in safe mode when their data member and data source settings are cleared.
To obtain the DataSourceOptionsContainer object that exposes DataSourceOptionsContainer.ObjectDataSourceLoadingBehavior, use one of the following properties:
You can also handle the ObjectDataSource.BeforeFill event to execute custom validation for the specified data source. The corresponding static ObjectDataSource.BeforeFillGlobal event allows you to validate all object data sources in your application.