Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DacFx exposes local computer folder structure by embedding full paths to dacpac-dependencies into built dacpac #329

Open
IVNSTN opened this issue Aug 28, 2023 · 2 comments
Open

DacFx exposes local computer folder structure by embedding full paths to dacpac-dependencies into built dacpac #329

IVNSTN opened this issue Aug 28, 2023 · 2 comments
Assignees
@zijchen
Labels
bug Something isn't working
Milestone
162.2

Comments

@IVNSTN
Copy link

IVNSTN commented Aug 28, 2023

  • SqlPackage or DacFx Version: SSDT 16.0.62205.05200
  • .NET Framework (Windows-only) or .NET Core: 4.8 / 3.1
  • Environment (local platform and source/target platforms):
    • Windows 10
    • VS 2019 16.11.26

If one has an interesting folder structure with strange or fancy folder names - everyone who gets dacpac from this person will get this information thus will be able to use it, possibly against the person who produced a dacpac.
Of course, this does not look like a terrible vulnerability, but for sure this is not comfortable when you know it and is absolutely unexpected.

This behavior is reproduced in CI builds inside temp build folders which will no longer exist after the build is finished. Which makes me believe that these paths embedded into dacpac metadata are of no use.

IMO dacfx should put into the built dacpac the same (relative or whatever) path to dacpac-dependency from sqlproj as is. Otherwise this information should be removed from built dacpac to avoid described information exposure.

Steps to Reproduce:

  1. Create a folder structure like c:/test/I like Janet/And hate Mike/dacpacs and c:/test/I like Janet/And hate Mike/new db
  2. Put existing dacpacs into /dacpacs to use them as dependencies for new db project
  3. Make a new sqlproj in /new db folder
  4. Add dacpac dependencies into new db.sqlproj using relative paths to dacpacs in the ../dacpacs folder
  5. Build this new db.sqlproj
  6. Go into built dacpac internals, view model.xml
  7. See absolute paths to dacpacs telling the story about your relationships with Mike and Janet to everyone
  8. Realize that there is no place in the sources where you mentioned absolute paths describing your local workplace environment

Relative paths in the project
image

Become absolute paths in the dacpac after building the project
image

Did this occur in prior versions? If not - which version(s) did it work in?
no such version

(DacFx/SqlPackage/SSMS/Azure Data Studio)
@IVNSTN IVNSTN added the bug Something isn't working label Aug 28, 2023
@Aldebaran91
Copy link

Same in SqlProjects (*.sqlproj) after build. Creates DACPAC files with absolute paths.

@IVNSTN IVNSTN mentioned this issue Nov 6, 2023
Open
@llali llali added this to the 162.2 milestone Nov 15, 2023
@dzsquared dzsquared added the fixed-pending-release Fix in upcoming release label Feb 27, 2024
@zijchen zijchen mentioned this issue Mar 18, 2024
Open
@zijchen
Copy link
Member

zijchen commented Apr 1, 2024

We reverted this change in DacFx 162.3.515-preview due to some issues in SSDT. We'll come up with a more comprehensive fix in a next release.

@zijchen zijchen reopened this Apr 1, 2024
@zijchen zijchen removed the fixed-pending-release Fix in upcoming release label Apr 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zijchen zijchen

Labels
bug Something isn't working
Projects
None yet
Milestone
162.2
Development

No branches or pull requests
5 participants
@dzsquared @IVNSTN @zijchen @Aldebaran91 @llali