Data Access Security
- 4 minutes to read
This document highlights the most important security risks that are associated with distributing WPF reporting applications and granting them permissions to access sensitive data.
Default data access behavior of the End-User Report Designer is intended to provide a high level of database security.
We strongly recommend that you utilize the default behavior if your reporting application can be accessed by untrusted parties.
We also recommend that you use the access control functionality of your database management system to achieve the highest level of database security.
To enable your end-users to safely connect to data sources without exposing your infrastructure to any risks, consider the following security issues.
SQL Data Sources
By default, the SQL Data Source wizard only allows the visual construction of SQL queries using the built-in Query Builder. Queries constructed using the Query Builder can only contain a SELECT statement and are guaranteed to be safe.
Manual editing of SQL queries is considered unsafe and is disabled by default. You can enable SQL editing at your own risk using the approach described in the following online example: Report Designer for WPF - How to enable end-users to execute custom SQL.
If custom SQL editing is enabled, the Query Builder contains the Allow Edit SQL check box, which also enables the capability to specify the custom SQL query manually.
Custom SQL queries are not validated before their execution and may contain potentially harmful instructions. For this reason, we strongly recommend that you implement your own validation logic that permits only execution of specific query kinds. See Report Designer for WPF - How to provide custom SQL validation for a code sample.
Entity Framework Data Sources
Loading of custom assemblies that may be referenced by Entity Framework data sources is forbidden by default. To permit loading a specific assembly, handle the EFDataSource.BeforeLoadCustomAssembly event (or static EFDataSource.BeforeLoadCustomAssemblyGlobal event) and specify the following properties of the BeforeLoadCustomAssemblyEventArgs object.
Specifies whether loading a custom assembly is allowed.
Specifies the path to a requested assembly.
Specifies the type to load from a custom assembly.
An unauthorized attempt to load a custom assembly will result in throwing a CustomAssemblyLoadingProhibitedException.
In the Entity Framework Data Source wizard, it is possible to load custom assemblies by using the Browse button on the Select the Data Context page. In the End-User Designer, this button is hidden by default, so that end-users are allowed only to select the data context from assemblies referenced by the project.
To make the Browse button visible, set the EFWizardSettings.ShowBrowseButton property to true or assign a custom IWizardCustomizationService implementation to the ReportDesignerBase.ServicesRegistry property of a Report Designer.
For a code sample, see the following example online: Report Designer for WPF - How to enable end-users to load custom assemblies to the Entity Framework context.
Protecting Connection Information
In the End-User Report Designer for WPF, the password portion of the connection string is obscured with asterisk characters in the application’s GUI.
Restrict Access to External Resources
Ensure that reports from untrusted sources cannot use the DataSource or XmlDataPath property to access the file system and read files. The restrictions affect the ExcelDataSource and JsonDataSource data sources.
You can use static properties and methods of the AccessSettings class to explicitly specify file operation restrictions for Excel data sources and specify allowed URLs for JSON data sources. If your application does not retrieve data from file-based data sources, add the DirectoryAccessRule.Deny() access rule to the AccessSettings.DataResources settings to prohibit all file operations with data sources, as shown in the following code snippet:
// JSON data can be loaded only from URLs; Excel data cannot be loaded from file directories (Excel data load from URLs is not supported) bool success = DevExpress.Security.Resources.AccessSettings.DataResources.TrySetRules( DevExpress.Security.Resources.UrlAccessRule.Allow(), DevExpress.Security.Resources.DirectoryAccessRule.Deny()) ; if (!success) System.Diagnostics.Debug.Print("Cannot change rules. The rules are already set.")