Security Considerations in WPF
- 3 minutes to read
This document describes how to avoid possible security risks when you deploy a WPF application that contains the DashboardControl.
Data Connection Security
The DashboardControl can use different data source types to supply dashboards with data. You can add predefined data sources in code. You should specify connection parameters to get data from certain data sources. For example, DashboardSqlDataSource and DashboardOlapDataSource can require a user name and password. To avoid data leaks, use one of the following techniques to pass connection parameters safely:
- Add the connection string to the connectionStrings section in the application’s configuration file when you work in a development environment.
- Handle the DashboardControl.ConfigureDataConnection event to specify connection parameters at runtime.
Data Source Security
SQL Data Source - Validate Custom SQL Queries
Handle the following events to specify validation logic before custom SQL query execution:
- IDashboardControl.ValidateCustomSqlQuery
- DashboardControl.AsyncValidateCustomSqlQuery
- Dashboard.ValidateCustomSqlQuery
Please make sure to apply a secure SQL validation that prevents harmful request execution. We recommend that you utilize the access control functionality of your database management system to achieve the highest level of database security.
Entity Framework Data Source - Restrict Access to Unauthorized Assemblies
You cannot load custom assemblies that can be referenced by Entity Framework data sources (DashboardEFDataSource) (the default setting).
To permit a user to load a specific assembly, handle the DashboardControl.CustomAssemblyLoading event. An unauthorized attempt to load a custom assembly results in a CustomAssemblyLoadingProhibitedException.
Object Data Source - Validate Data
If a user opens a dashboard that contains the DashboardObjectDataSource, the following message displays before data loading:
This dialog allows users to select whether to trust the object data sources available in the application. You can use the DashboardControl.ObjectDataSourceLoadingBehavior property to change this default logic. For instance, you can allow the application to load any object data sources, or you can load object data sources in safe mode when their data member and data source settings are cleared.
You can also handle the ObjectDataSource.BeforeFill event to execute custom validation for the specified data source. The corresponding static ObjectDataSource.BeforeFillGlobal event allows you to validate all object data sources in your application.
Excel, Extract, and JSON Data Sources - Restrict Access to External Data Resources
The Dashboard Viewer gets data from resources stored on the disk or on the Internet. We recommend that you specify access settings for data resources (Excel, Extract, and JSON data sources).
You can read files from any directory by default. To protect your application, use the AccessSettings class to explicitly specify where data sources can be read from. To accomplish this, configure rules in the DataResources property to restrict file system access to specified folders. You can call the SetRules(IAccessRule[]) method when your application starts to specify rules before a dashboard control sets its rules. The SetRules(IAccessRule[])
method can be called only once at application startup. Otherwise, the method will raise an exception. Alternatively, you can use the TrySetRules(IAccessRule[]) method, which does not raise an exception.
Clipboard Access Policy
The DevExpress.Data.Utils.ClipboardAccessPolicy allows you to control/manage clipboard-related operations when using the WPF Dashboard Viewer.
Refer to the following help topic for more information: Clipboard Access Policy.