Hello,
report can include source code in .NET. How is it protected against undesirable execution of the code which could cause security risks and harmful affects to the security of the application (like modification of Session in ASP.NET, database access, file system, ...)?
Thank you
Security - code execution
-
petr.pavlis
- Posts: 27
- Joined: Sun May 15, 2011 4:16 am
Security - code execution
Hello,
If we have understood your problem correctly, then you can disable the designer and make changes in the code of the report, use events and add, change, data sources with the following options:
Let us know if you need any additional help.
Thank you.
If we have understood your problem correctly, then you can disable the designer and make changes in the code of the report, use events and add, change, data sources with the following options:
Code: Select all
StiOptions.Designer.CodeTabVisible = false;
StiOptions.Designer.ShowEventsTab = false;
StiOptions.Designer.Panels.Dictionary.ShowEditForDataSource = false;
StiOptions.Designer.Panels.Dictionary.ShowNewButton = false;
StiOptions.Designer.Panels.Dictionary.ShowDataSourceNewMenuItem = false;
...Thank you.
-
petr.pavlis
- Posts: 27
- Joined: Sun May 15, 2011 4:16 am
Security - code execution
Thank you for guidance on how to avoid code modification over the report designer.
However, the user still has the ability to modify the file via Notepad on your local computer. This report is then loaded into Stimulsoft Reports.Web.
How is ensured that the report can not execute program code, which works with the ASP.NET session,...? Are there any controls?
However, the user still has the ability to modify the file via Notepad on your local computer. This report is then loaded into Stimulsoft Reports.Web.
How is ensured that the report can not execute program code, which works with the ASP.NET session,...? Are there any controls?
Security - code execution
Hello,
As a way, you can save report as packed or encrypted report. In this case user have not ability to modify the file via Notepad.
Thank you.
As a way, you can save report as packed or encrypted report. In this case user have not ability to modify the file via Notepad.
Thank you.
-
petr.pavlis
- Posts: 27
- Joined: Sun May 15, 2011 4:16 am
Security - code execution
Hello Aleksay!
How does report encryption prohibit so that attacker creates report with undesirable NET programmatic code? Attacker then uploads report to my web server, which compiles it and starts…
Security on client side is OK, but there are always many possibilities on web how to abuse. Does any rigorous protection on the server side exist? Any restrictions on namespace, classes and objects, with witch report can work…?
Thank you
How does report encryption prohibit so that attacker creates report with undesirable NET programmatic code? Attacker then uploads report to my web server, which compiles it and starts…
Security on client side is OK, but there are always many possibilities on web how to abuse. Does any rigorous protection on the server side exist? Any restrictions on namespace, classes and objects, with witch report can work…?
Thank you
Security - code execution
Hello,
To exclude the scripts execution from the report, you can turn on the interpretation mode of reports building (the Report.CalculationMode property).
Thank you.
To exclude the scripts execution from the report, you can turn on the interpretation mode of reports building (the Report.CalculationMode property).
Thank you.
-
petr.pavlis
- Posts: 27
- Joined: Sun May 15, 2011 4:16 am
Security - code execution
What is the difference between interpretation and compilation mode of report?
I cannot find a description of the property.
Thank you.
I cannot find a description of the property.
Thank you.
Security - code execution
Hello,
In this mode, the report is not compiled, only an expressions parser works, so in this mode the custom code in the events is not executed.
Thank you.
In this mode, the report is not compiled, only an expressions parser works, so in this mode the custom code in the events is not executed.
Thank you.