Skip to content

Latest commit

 

History

History
38 lines (31 loc) · 5.44 KB

threat-modeling.md

File metadata and controls

38 lines (31 loc) · 5.44 KB

Threat Model Analysis for dotnet/efcore

Threat: LINQ Injection / Raw SQL Misuse

  • Description: Attackers exploit vulnerabilities by injecting malicious SQL commands through EF Core's raw SQL features (FromSqlInterpolated, FromSqlRaw) or by manipulating LINQ queries in ways that bypass parameterization. This is achieved by supplying unsanitized user input directly into these methods or by dynamically constructing LINQ queries based on untrusted data.
  • Impact: Critical - Unauthorized data access, data manipulation, potentially full database compromise including data deletion or modification, and in some cases, depending on database permissions, even operating system command execution on the database server.
  • Affected EF Core Component: DbContext.FromSqlInterpolated, DbContext.FromSqlRaw, LINQ Query Translation.
  • Risk Severity: Critical
  • Mitigation Strategies:
    • Prioritize LINQ: Primarily use LINQ queries as EF Core's default query generation is parameterized and secure against SQL injection when used correctly.
    • Parameterization for Raw SQL: When using FromSqlInterpolated, ensure proper string interpolation which treats inputs as parameters, not as executable SQL code.
    • Avoid FromSqlRaw: Minimize or eliminate the use of FromSqlRaw. If absolutely necessary, rigorously sanitize and validate all user inputs before incorporating them into raw SQL strings.
    • Input Validation: Implement robust input validation and sanitization at the application input points before data reaches the EF Core data access layer.
    • Static Analysis: Utilize static code analysis tools specifically designed to detect SQL injection vulnerabilities, including those related to EF Core's raw SQL usage.

Threat: Mass Assignment Vulnerabilities

  • Description: Attackers exploit EF Core's automatic change tracking by manipulating request data (e.g., form data, JSON payloads) to modify entity properties that should not be directly accessible or modifiable by users. EF Core, by default, can bind incoming data to entity properties, potentially allowing attackers to overwrite sensitive fields.
  • Impact: High - Unauthorized modification of data, potentially leading to privilege escalation if attackers can modify properties that control access rights or application behavior. Data integrity can be severely compromised.
  • Affected EF Core Component: Change Tracking, Model Binding.
  • Risk Severity: High
  • Mitigation Strategies:
    • Data Transfer Objects (DTOs) / ViewModels: Employ DTOs or ViewModels as intermediaries between the application and EF Core entities. Map only explicitly allowed properties from DTOs/ViewModels to entities, preventing direct binding of untrusted input to sensitive entity properties.
    • Attribute-Based Binding Control: Utilize attributes like [BindRequired] and [BindNever] on entity properties to precisely control which properties can be bound during model binding and which should be explicitly managed in code.
    • Explicit Property Updates: Favor explicit, code-driven updates of entity properties instead of relying solely on automatic change tracking for user-provided data. This provides fine-grained control over which properties are modified and under what conditions.
    • AsNoTracking() for Read-Only Operations: For queries intended for read-only purposes, use .AsNoTracking() to disable change tracking, reducing the attack surface for mass assignment vulnerabilities in those contexts.

Threat: Database Provider Specific Vulnerabilities

  • Description: Attackers target vulnerabilities within the specific database provider implementation used by EF Core (e.g., the SQL Server provider, PostgreSQL provider, etc.). These vulnerabilities could reside in query translation logic, data handling, or other provider-specific code, potentially leading to unexpected behavior or security breaches when EF Core interacts with the database through the provider.
  • Impact: Varies - Can range from High to Critical depending on the nature of the provider vulnerability. Impacts can include data corruption, denial of service, or in severe cases, remote code execution on the database server or application server if the provider vulnerability is exploitable in that manner.
  • Affected EF Core Component: Database Providers (e.g., SQL Server Provider, PostgreSQL Provider), Query Translation, Database Interaction.
  • Risk Severity: High to Critical (depending on the specific vulnerability and provider).
  • Mitigation Strategies:
    • Keep Providers Updated: Maintain EF Core and all database provider packages at the latest stable versions. Regularly update to patch known security vulnerabilities in providers.
    • Security Monitoring: Actively monitor security advisories and release notes for both EF Core itself and the specific database provider being used. Subscribe to security mailing lists or use vulnerability scanning tools to stay informed about potential provider vulnerabilities.
    • Provider Best Practices: Adhere to security best practices recommended by the vendor of the specific database provider being used. This might include specific configuration settings or usage patterns to mitigate provider-specific risks.