Closed IVNSTN closed 2 weeks ago
Same in SqlProjects (*.sqlproj) after build. Creates DACPAC files with absolute paths.
We reverted this change in DacFx 162.3.515-preview due to some issues in SSDT. We'll come up with a more comprehensive fix in a next release.
If one has an interesting folder structure with strange or fancy folder names - everyone who gets
dacpac
from this person will get this information thus will be able to use it, possibly against the person who produced adacpac
. Of course, this does not look like a terrible vulnerability, but for sure this is not comfortable when you know it and is absolutely unexpected.This behavior is reproduced in CI builds inside temp build folders which will no longer exist after the build is finished. Which makes me believe that these paths embedded into
dacpac
metadata are of no use.IMO dacfx should put into the built dacpac the same (relative or whatever) path to dacpac-dependency from sqlproj as is. Otherwise this information should be removed from built dacpac to avoid described information exposure.
Steps to Reproduce:
c:/test/I like Janet/And hate Mike/dacpacs
andc:/test/I like Janet/And hate Mike/new db
/dacpacs
to use them as dependencies fornew db
project/new db
foldernew db.sqlproj
using relative paths to dacpacs in the../dacpacs
foldernew db.sqlproj
Relative paths in the project
Become absolute paths in the dacpac after building the project
Did this occur in prior versions? If not - which version(s) did it work in? no such version
(DacFx/SqlPackage/SSMS/Azure Data Studio)