search

microsoft / DacFx

DacFx, SqlPackage, and other SQL development libraries enable declarative database development and database portability across SQL versions and environments. Share feedback here on dacpacs, bacpacs, and SQL projects.
https://aka.ms/sqlpackage-ref
MIT License
314 stars 19 forks source link

DacFx exposes local computer folder structure by embedding full paths to dacpac-dependencies into built dacpac #329

Closed IVNSTN closed 2 weeks ago

IVNSTN commented 1 year ago

If one has an interesting folder structure with strange or fancy folder names - everyone who gets dacpac from this person will get this information thus will be able to use it, possibly against the person who produced a dacpac. Of course, this does not look like a terrible vulnerability, but for sure this is not comfortable when you know it and is absolutely unexpected.

This behavior is reproduced in CI builds inside temp build folders which will no longer exist after the build is finished. Which makes me believe that these paths embedded into dacpac metadata are of no use.

IMO dacfx should put into the built dacpac the same (relative or whatever) path to dacpac-dependency from sqlproj as is. Otherwise this information should be removed from built dacpac to avoid described information exposure.

Steps to Reproduce:

  1. Create a folder structure like c:/test/I like Janet/And hate Mike/dacpacs and c:/test/I like Janet/And hate Mike/new db
  2. Put existing dacpacs into /dacpacs to use them as dependencies for new db project
  3. Make a new sqlproj in /new db folder
  4. Add dacpac dependencies into new db.sqlproj using relative paths to dacpacs in the ../dacpacs folder
  5. Build this new db.sqlproj
  6. Go into built dacpac internals, view model.xml
  7. See absolute paths to dacpacs telling the story about your relationships with Mike and Janet to everyone
  8. Realize that there is no place in the sources where you mentioned absolute paths describing your local workplace environment

Relative paths in the project image

Become absolute paths in the dacpac after building the project image

Did this occur in prior versions? If not - which version(s) did it work in? no such version

(DacFx/SqlPackage/SSMS/Azure Data Studio)

Aldebaran91 commented 1 year ago

Same in SqlProjects (*.sqlproj) after build. Creates DACPAC files with absolute paths.

zijchen commented 6 months ago

We reverted this change in DacFx 162.3.515-preview due to some issues in SSDT. We'll come up with a more comprehensive fix in a next release.