Security Considerations in ASP.NET Core

• Nov 03, 2021
• 8 minutes to read

This document describes how to avoid possible security risks when you deploy an ASP.NET Core application that contains the Web Dashboard.

Data Connection Security

The Web Dashboard needs data connection parameters to get data from certain data sources or to display existing dashboards (for instance, created in the WinForms Designer or in code):

• Users can create data sources based on predefined data connections in the UI, or you can add predefined data sources in code. For example, DashboardSqlDataSource and DashboardOlapDataSource can require a user name and password.
• The Web Dashboard control automatically checks whether dashboards contain data connection parameters. If so, the dashboard will not be loaded and an error message will be displayed. In this case, remove all connection parameters from the dashboard definition and keep only a connection name.

To avoid data leaks, use one of the following techniques to pass connection parameters safely:

• Create a data connection provider. For this, implement the IDataSourceWizardConnectionStringsProvider interface and pass the created provider to the DashboardConfigurator.SetConnectionStringsProvider method. See the following topic for details: Register Default Data Connections.

• Add a connection string to the ConnectionStrings section in the appsettings.json file.

  The Web Dashboard control does not expose connection strings from appsettings.json by default. Pass the ConfigFileConnectionStringsProvider instance as the DashboardConfigurator.SetConnectionStringsProvider method’s parameter to allow users to create new data sources based on connection strings from the appsettings.json file.

  using DevExpress.DataAccess.Web;
  // ...
      services.AddScoped<DashboardConfigurator>((IServiceProvider serviceProvider) => {
          DashboardConfigurator configurator = new DashboardConfigurator();
          configurator.SetConnectionStringsProvider(new DashboardConnectionStringsProvider(Configuration));
          return configurator;
      });
  });
  

• If the predefined data source is added in code, handle the DashboardConfigurator.ConfigureDataConnection event to specify connection parameters at runtime.

KB Article - How to protect parameters used to establish a connection to data

Dashboard Controller Security

The ASP.NET Core dashboard uses the DashboardController located in the DevExpress.Dashboard.v21.1.AspNetCore.dll library. The DevExpress.AspNetCore.Dashboard NuGet package contains DevExpress.Dashboard.v21.1.AspNetCore.dll compiled code. If your project uses the DevExpress.AspNetCore.Dashboard NuGet package, the DashboardController is available in your application and responds to requests. Application Parts allow ASP.NET Core to discover and load controllers in all DLLs while the application is running: Share controllers, views, Razor Pages and more with Application Parts.

If you use a custom controller (a DashboardController descendant), then you should take into account that the default controller still responds in case of default routing.

We recommend that you restrict access to the default DashboardController located in the DevExpress.Dashboard.v21.1.Web.Mvc5.dll/DevExpress.Dashboard.v21.1.Web.Mvc.dll in one of the following ways:

Update to v21.2

v21.2 changes the default behavior and makes the DevExpress.DashboardAspNetCore.DashboardController class abstract. Refer to the following Breaking Change for more information: T1018632 Web Dashboard - The DashboardController class became abstract.

Configure ApplicationParts

Remove classes contained in the DevExpress.Dashboard.v21.1.AspNetCore.dll from ApplicationParts:

services
  .AddMvc()
  .AddDefaultDashboardController((configurator, serviceProvider) => { })
  .ConfigureApplicationPartManager((manager) => {
    var dashboardApplicationParts = manager.ApplicationParts.Where(part => 
        part is AssemblyPart && ((AssemblyPart)part).Assembly == typeof(DashboardController).Assembly).ToList();
    foreach(var partToRemove in dashboardApplicationParts) {
      manager.ApplicationParts.Remove(partToRemove);
    }
  });

Database Security

Enable Custom SQL

The Data Source Wizard allows users to construct SQL queries only in the built-in Query Builder by default. Queries constructed in the Query Builder are guaranteed to be safe because they can contain only a SELECT statement.

Users cannot edit SQL queries in the Query Builder (the default setting). Refer to the following article for information on how to enable users to edit SQL Queries in the UI: Custom SQL Queries. Custom SQL queries are validated before their execution. Please make sure to apply a secure SQL validation that prevents harmful request execution.

We recommend that you utilize the access control functionality of your database management system to achieve the highest level of database security.

Restrict Access to Unauthorized Assemblies

You cannot load custom assemblies that can be referenced by Entity Framework data sources (DashboardEFDataSource) (the default setting).

To permit a user to load a specific assembly, handle the DashboardConfigurator.CustomAssemblyLoading event. An unauthorized attempt to load a custom assembly will result in a CustomAssemblyLoadingProhibitedException.

Restrict Access to External Data Resources

The Dashboard Control gets data from resources stored on the disk or on the Internet. We recommend that you specify access settings for data resources (Excel, Extract, and JSON data sources).

Use the AccessSettings class to explicitly allow the path to the data file. To accomplish this, configure rules in the DataResources property to restrict file system access to the specified folders. You can call the SetRules(IAccessRule[]) method when the application starts to specify rules before a dashboard control sets its rules. The SetRules(IAccessRule[]) method can be called only once at the application startup. Otherwise, the method will raise an exception. Alternatively, you can use the TrySetRules(IAccessRule[]) method, which does not raise an exception.

Data Source Access Rights

These examples show how to configure the Dashboard control so that it loads data in a multi-user environment. You can identify a user in the current session and select which underlying data source is available for this user.

View Example: ASP.NET Core

Working Mode Access Rights

The Web Dashboard can act as a designer or viewer. The following modes are available:

Designer

The Web Dashboard works as a designer and allows users to create, edit, and save dashboards. In this mode, the control loads the extensions required to design dashboards. A user can switch the control to Viewer mode and can modify dashboards from storage on the client side. This is the default mode.

Viewer

The Web Dashboard works as a viewer and displays dashboards to users. In this mode, the control also loads the extensions required to design dashboards. A user can switch the control to Designer mode.

ViewerOnly

The Web Dashboard does not load the extensions required to design dashboards. Users cannot switch to Designer or Viewer modes on the client. This mode affects only the Web Dashboard’s UI and does not affect server settings.

Viewer and ViewerOnly modes do not influence the server. The server works as ClientTrustLevel.Full. To protect dashboards stored on a server, handle the DashboardConfigurator.VerifyClientTrustLevel event to verify the trust level and specify which actions a client can initiate to execute them on a server side. For example, you can use the ClientTrustLevel.Restricted mode to prevent inadvertent or unauthorized modifications to dashboards stored on the server.

A list below describes the Web Dashboard’s specifics when it operates in the ClientTrustLevel.Restricted mode:

• Only dashboards stored in dashboard storage can be processed on the client. Designer mode does not work.

• Calling the IEditableDashboardStorage.AddDashboard and IDashboardStorage.SaveDashboard methods leads to an exception.

• Information about data sources containing in a dashboard xml definition is not passed to the client when you request a dashboard xml file.

Dashboard Access Rights

The Web Dashboard allows users to open, modify, and create new dashboards. If you want to specify different access rights for different users, create custom dashboard storage (IDashboardStorage or IEditableDashboardStorage), and add the verification in the implemented class.

View Example: ASP.NET Core - How to implement multi-tenant Dashboard architecture

XSS Security

The HTML-injection is one of the most common types of XSS attack. To prevent this type of injection, make sure that the EncodeHtml property is enabled:

• For ASP.NET Core, use the DashboardBuilder.EncodeHtml method and pass true as a parameter.
• For Angular, React, Vue, and JavaScript applications with ASP.NET Core backend, use the DashboardControl.encodeHtml/DashboardControlOptions.encodeHtml properties.
• For Blazor, enable the DxDashboard.EncodeHtml property.

Prevent Cross-Site Request Forgery (CSRF)

Cross-site request forgery (also known as XSRF or CSRF) is a type of malicious exploit of a website where unauthorized commands are submitted from a trusted user. To prevent cross-site request forgery (CSRF) attacks on your web application, use a custom dashboard controller and apply anti-forgery request validation. See the following example for implementation details:

View Example: ASP.NET Core

Cache Security

When Web Dashboard performs data-related operations in client data processing mode, data from a data source can be cached. The Web Dashboard control uses a single cache. The use of separate DashboardConfigurator instances does not create separated caches. Create a custom parameter to specify a different cache for different user roles:

DashboardConfigurator.Default.CustomParameters += (s, e) => { 
    e.Parameters.Add(new Parameter("UserRole", typeof(string), System.Web.Security.Roles.GetRolesForUser())); 
};

See the following topic for more information: Dashboard Backend - Manage an In-Memory Data Cache.