Skip to main content

Security Considerations

  • 3 minutes to read

This document describes how to avoid possible security risks when you deploy a WinForms application that contains the DashboardDesigner or DashboardViewer control.

Data Connection Security

The DashboardDesigner and DashboardViewer can use different data source types to supply dashboards with data. Users can create data sources based on predefined data connections in the UI, or you can add predefined data sources in code. You should specify connection parameters to get data from certain data sources. For example, DashboardSqlDataSource and DashboardOlapDataSource can require a user name and password. To avoid data leaks, use one of the following techniques to pass connection parameters safely:

Data Source Security

SQL Data Source - Enable Custom SQL

The Data Source Wizard allows users to construct SQL queries only in the built-in Query Builder. Queries constructed in the Query Builder are guaranteed to be safe because they can contain only a SELECT statement.

Users cannot edit SQL queries in the Query Builder (the default setting). Refer to the following article for information on how to enable users to edit SQL Queries in the UI: Custom SQL Queries. Custom SQL queries are validated before their execution. Please make sure to apply a secure SQL validation that prevents harmful request execution.

We recommend that you utilize the access control functionality of your database management system to achieve the highest level of database security.

Entity Framework Data Source - Restrict Access to Unauthorized Assemblies

You cannot load custom assemblies that can be referenced by Entity Framework data sources (DashboardEFDataSource) (the default setting).

To permit a user to load a specific assembly, handle the DashboardDesigner.CustomAssemblyLoading / DashboardViewer.CustomAssemblyLoading events. An unauthorized attempt to load a custom assembly results in a CustomAssemblyLoadingProhibitedException.

Excel, Extract, and JSON Data Sources - Restrict Access to External Data Resources

The Dashboard Control gets data from resources stored on the disk or on the Internet. We recommend that you specify access settings for data resources (Excel, Extract, and JSON data sources).

Use the AccessSettings class to explicitly allow the path to the data file. To accomplish this, configure rules in the DataResources property to restrict file system access to the specified folders. You can call the SetRules(IAccessRule[]) method when the application starts to specify rules before a dashboard control sets its rules. The SetRules(IAccessRule[]) method can be called only once at the application startup. Otherwise, the method will raise an exception. Alternatively, you can use the TrySetRules(IAccessRule[]) method, which does not raise an exception.

Object Data Source - Validate Data

If a user opens the dashboard that contains the DashboardObjectDataSource, the following message appears before a data load operation:

WinDashboard_SecurityConsiderations_Warning

This dialog allows users to select whether to trust the object data sources available in the application. You can use the DataSourceOptionsContainer.ObjectDataSourceLoadingBehavior property to change this default logic. For instance, you can allow the application to load any object data sources, or you can load object data sources in safe mode when their data member and data source settings are cleared.

To obtain the DataSourceOptionsContainer object that exposes DataSourceOptionsContainer.ObjectDataSourceLoadingBehavior, use one of the following properties:

You can also handle the ObjectDataSource.BeforeFill event to execute custom validation for the specified data source. The corresponding static ObjectDataSource.BeforeFillGlobal event allows you to validate all object data sources in your application.