Technical Queries Regarding Runtime Database Connections, Customizable Images, SQL Injection Protection, and Oracle Support in Data API Builder

[KaneJU]

1.At runtime, does the Data API Builder use OLE DB for database connections?

2.Given that our institution has stringent information security guidelines, we would like to obtain an image version that we can package ourselves. This will allow us to run security scans on the source code and integrate it with NLOG for forwarding to Kafka→ELK.

3.For local deployment solutions, is there a specific mechanism for SQL injection protection? Your official documentation does not seem to explicitly cover this aspect (see: Azure Data API Builder Security Considerations).

4.Is Oracle database support on your product roadmap?

[seantleonard]

Hi @KaneJU,

My answers to your questions below:

1. We use the Microsoft.Data.SqlClient (ADO.NET) client driver. More information can be found via https://github.com/dotnet/SqlClient and https://learn.microsoft.com/sql/connect/ado-net/microsoft-ado-net-sql-server?view=sql-server-ver16
2. What do you need from the DAB side to accomplish 'obtain an image version'? Since DAB is open-source, you can clone and build DAB from source and subsequently package the output bits to meet your needs.
3. What specific mechanisms are you looking for? When building DAB, we employ development best practices covered by OWASP (e.g. https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html and general info https://owasp.org/Top10/A03_2021-Injection/) with regards to SQL injection. (e.g. parameterizing queries).
4. We don't have any immediate plans for building Oracle support. Discussion about supporting Oracle can be found in #1550 and we welcome any contributions to help move that ask forward.