This document highlights the most important security risks that are associated with distributing WPF reporting applications and granting them permissions to access sensitive data.
Default data access behavior of the End-User Report Designer is intended to provide a high level of database security.
We strongly recommend that you utilize the default behavior if your reporting application can be accessed by untrusted parties.
We also recommend that you use the access control functionality of your database management system to achieve the highest level of database security.
To enable your end-users to safely connect to data sources without exposing your infrastructure to any risks, consider the following security issues.
By default, the SQL Data Source wizard only allows the visual construction of SQL queries using the built-in Query Builder. Queries constructed using the Query Builder can only contain a SELECT statement and are guaranteed to be safe.
Manual editing of SQL queries is considered unsafe and is disabled by default. You can enable SQL editing at your own risk using the approach described in the following online example: Report Designer for WPF - How to enable end-users to execute custom SQL.
If custom SQL editing is enabled, the Query Builder contains the Allow Edit SQL check box, which also enables the capability to specify the custom SQL query manually.
Custom SQL queries are not validated before their execution and may contain potentially harmful instructions. For this reason, we strongly recommend that you implement your own validation logic that permits only execution of specific query kinds. See Report Designer for WPF - How to provide custom SQL validation for a code sample.
Loading of custom assemblies that may be referenced by Entity Framework data sources is forbidden by default. To permit loading a specific assembly, handle the EFDataSource.BeforeLoadCustomAssembly event (or static EFDataSource.BeforeLoadCustomAssemblyGlobal event) and specify the following properties of the BeforeLoadCustomAssemblyEventArgs object.
Specifies whether loading a custom assembly is allowed.
Specifies the path to a requested assembly.
Specifies the type to load from a custom assembly.
An unauthorized attempt to load a custom assembly will result in throwing a CustomAssemblyLoadingProhibitedException.
In the Entity Framework Data Source wizard, it is possible to load custom assemblies by using the Browse button on the Select the Data Context page. In the End-User Designer, this button is hidden by default, so that end-users are allowed only to select the data context from assemblies referenced by the project.
To make the Browse button visible, set the EFWizardSettings.ShowBrowseButton property to true or assign a custom IWizardCustomizationService implementation to the ReportDesignerBase.ServicesRegistry property of a Report Designer.
For a code sample, see the following example online: Report Designer for WPF - How to enable end-users to load custom assemblies to the Entity Framework context.
In the End-User Report Designer for WPF, the password portion of the connection string is obscured with asterisk characters everywhere in the application GUI.