***Designing, reviewing, and verifying Entity Framework** to ensure it meets the agreed upon security principles.

***Helping developers write secure applications** by raising awareness of the security concerns that EF handles and guidance that should be followed when using EF.

**NOTE:** THIS DOCUMENT CAPTURES THE SECURITY DESIGN FOR EF CORE. SINCE EF CORE IS STILL PRE-RELEASE, NOT ALL GUARANTEES LISTED HERE MAY BE IMPLEMENTED AND/OR VERIFIED YET.

Entity Framework Core is a lightweight, extensible, open source and cross-platform version of the popular Entity Framework data access technology.

EF Core can serve as an object-relational mapper (O/RM), enabling .NET developers to work with a database using .NET objects, and eliminating the need for most of the data-access code they usually need to write.

A query, usually with data in parameters, is sent to the database, then a response, usually with data, is received from the database.

* Communication with the database

* EF is a layer on top of the lower-level database driver or SDK (e.g. SqlClient for SQL Server) and relies on it securing the connection to the database.

* Logging, diagnostics

* EF doesn't offer any built-in sinks for logging or diagnostics. This is only considered a trust boundary as part of the defense in depth strategy.

* Loading migration assembly for migration operations at runtime

* The name of the migration assembly to load must be specified in the DbContext options:

services.AddDbContext<ApplicationDbContext>(options=>options.UseSqlServer(

x=>x.MigrationsAssembly("WebApplication1.Migrations")));

```

*An `Assembly`instancecanbeusedinsteadofthestring.

*Whenunspecified,the `ApplicationDbContext`assemblywillbeused.

*TheEFtoolsbuildthespecifiedprojectandloadtheassemblyspecifiedbythe `TargetFileName`MSBuildproperty.

*TheEFtoolsaredistributedinseparateNuGetpackages- `dotnet-ef`, `Microsoft.EntityFrameworkCore.Tools`, `Microsoft.EntityFrameworkCore.Tasks`.Thesearemeantonlytoprovidedesign-timefunctionalityandshouldn't be deployed with the app.

*Thisthreatmodelassumesthatalltenantsusingagivenappinstancehavethesametrustlevel.Developersareresponsibleforisolatinguntrustedtenants.

###Untrusted/unknowndatabases

AtrustboundaryexistsbetweenEFandthedatabaseitconnectsto;thatis,EFsupportsuntrustedresultsetscomingfromthedatabase.Thismeansthattherearenoknownexploits**viaEF**usingmaliciousdatabasecontents.

EFcontainsa "scaffolding"feature,whichexaminesthemetadataofanexistingdatabase (tables,columns)andgenerates .NETcodewhichcanbeusedtoaccessthatdatabase.Asaspecificcaseofguaranteedetailedjustabove,EFguaranteesthatsuchscaffoldedcode -whichisgeneratedbasedone.g.tableandcolumnnamesinthescaffoldeddatabase -issafetorun,andcannotbeusedasavectorfore.g.aremotecodeexecutionattackviaamaliciouslycraftedtablename.

####Exercisecautionwithuntrusted/unknowndatabases

However,connectingandinteractingwithanunknown/untrusteddatabasesinherentlyandunavoidablybringssubstantialriskswithit,whichgobeyondattacksspecificallyagainstEFitself.Forexample,anunknowndatabasecancontainhugeamountsofdataasaformofattack:dependingonhowtheapplicationqueriesthedatabaseandwhatitdoeswiththeresults,aqueryagainstsuchamaliciouslyhugedatasetcouldproduceadenialofservice (thiswouldbeavulnerabilityintheapplication,notinEF).SQLJOINsinrelationaldatabasecanexacerbatethisproblembycausingarelativelysmalldatasettoproduceahugequeryresultset (viatheso-called "cartesianexplosion"phenomenon).SpecialcareshouldbetakenwhenemployingJOINsagainstuntrusteddatabases.

Tosummarize,whileEFnarrowlyguaranteesthatitsowncodeshallnotbevulnerabletosecurityattacksviadatareturnedfromthedatabase,applicationcodeusingEFmaycontainsuchvulnerabilities,whichareoutsideofEF'sscopeofresponsibility.Asaresult,andregardlessoftheEFguaranteeprovidedabove,wehighlyrecommendproceedingwithextremecautionwhenconnectingtodatabaseswhoseoriginandcontentsareunknown

##Storageofsecrets

EFdoesn'tstoreanysecrets,itonlypassesthroughtheconnectionstringtotheunderlyingdatabaseprovider.

However,ifthesuppliedconnectionstringisoftheformat `name=MyConnection`EFwillusethe `IConfiguration`servicefromtheserviceproviderwhere `DbContext`wasregisteredtoresolve `"MyConnection"`or `"ConnectionStrings:MyConnection"`.See [connectionstringdocumentation](https://learn.microsoft.com/ef/core/miscellaneous/connection-strings#aspnet-core) for more details.

##Serialization

*JSON (de)serializerofsomepayloads (Utf8JsonWriter/Utf8JsonReader)

*Composingandreceivingdatafromthedatabaseserver.EFreliesonthedatabasedriverforthelow-level (de)serializationinvolvedinthedatabasecommunicationprotocol.

###Dataformat

EFdoesn'tload,constructorexecutecodedynamicallybasedonthedatareceivedfromthedatabase.Alltypesarespecifiedinthemodelinadvance.Themodelisconsideredtrusted.

ForJSONEFexpectsthepropertynamestobetheexactlythesameasconfiguredinthemodel,similarlyforcolumnnamesin `DbDataReader`.Extradatawillbeeitherignoredorresultinanexception.ForduplicatedJSONpropertiesthelastvaluewilltakeprecedence.

EFdoesn'tassumeanyparticularorderforpropertieswhendeserializing.Duringserializationdiscriminator (`$type`)comesfirst,thenkeys,thentherestinadeterministicorder.

OnlyconfigurationintheEFmodelwillbeusedtodeterminetheexpecteddatashapeandhowtheentityobjectwillbecreated, [someattributesonentitytypecaninfluencethis](https://learn.microsoft.com/ef/core/modeling/#use-data-annotations-to-configure-a-model), but attributes that affect JSON (de)serialization outside EF like `[JsonPropertyName("")]` are ignored.

ThereisnoAPIthatcanbeusedbythedevelopertoprovideaJSONstringora `DbDataReader`tobedeserialized,thisishandledinternallybytheproviderforaspecificdatabase.

EFprovidersandpluginscanextendorreplacesomeofthe (de)serializationlogicandcouldintroducevulnurabilities.

###Exceptions

Bydefault,alldataiscensoredinexceptionmessages.Schemainformationlikepropertyandcolumnnamesisnotconsideredsensitive.

###Recursiveness

JSONsupportsrecursiveprimitivecollections.AndforrelationaldataEFsupportsself-joins,butinbothcasesthedeveloperhastoexplicitlysettherecursiondepthintheirqueryeitherthroughthequeryshapeortheconfigurationofthedatatype.

###Complexity

ForJSONEFonlydoesaconstantamountofworkforeachvaluereturnedbythe `Utf8Reader`,sameforeachvaluein `DbDataReader`.

Somequeriescanproducea [cartesianexplosion](https://learn.microsoft.com/en-us/ef/core/querying/single-split-queries#cartesian-explosion) where the number of rows returned is the product of the number of rows the select from 2 or more tables. This can be mitigated by using `AsSplitQuery`. EF Core also produces a warning for this case as it's an issue in the user's code that can be easy to miss.

EFcreatesobjectsatlinearrelationtothedatareceived.TheamountofworkEFperformsisO(n)wherethenisthesizeofthedatabaseresponse.

Forparticularlylargedatasetsstreamingorpagingcanbeusedtolimitthepeakamountofmemoryused.

##Threats

###Querypipeline/BulkCUD

####SQLInjection

MostEFqueriesarespecifiedusingLINQwhereuserinputissentasparameterswhicharenotvulnarabletoSQLinjection.Methodslike `ExecuteSql`and `FromSql`accepta `FormattableString`whichcanbeparameterizedaswell.However,themethods `FromSqlRaw`and `ExecuteSqlRaw`accepta `string`andifthedeveloperdirectlyconcatenatesuserinputtothesuppliedSQLcommandanattackercanprovidedatacontainingcommandsthatcanbeusedforSpoofing,Tampering,Repudiation,Informationdisclosure,DenialofserviceorElevationofprivilege.

**Mitigation:**Thesemethodsaredocumentedaspotentiallydangerousandtheuserisresponsibleforinputsanitization.

####JSONdeserializersDoS

AnattackercaninjectmaliciousdatainthedatabasethatcausesDenialofservicefortheclientmachine.

**Mitigation:**EFreliesontheunderlyingdatabaseanddrivertoavoidinjectionandthedevelopersareadvisedtonotdirectlyembeduntrustedJSONstringsinthedatabase.Butasdefenseindepth,EFdeserializerimplementationsusing `Utf8JsonReader`areO(n).

####QuerycacheDoS

InapplicationsthatbuildqueriesdynamicallyanattackercanprovidemaliciousdatathatcausesDenialofservicefortheclientmachinebybloatingthequerycache.

**Mitigation:**Applications [buildingqueriesdynamically](https://learn.microsoft.com/ef/core/performance/advanced-performance-topics?%2Cexpression-api-with-constant#dynamically-constructed-queries) should restrict the ability of user input to affect the query shape to a reasonable degree that's appropriate for the application. As defense in depth EF computes the cache key in O(n) and query cache size is limited to 10240. Developers can call `UseMemoryCache` to provide an instance with a different size limit. Currently, the following sizes are used by the caching mechanism:

*Model - 250

*Compiledquery - 10

*Relationalquerycommand - 10

###Logging,interceptors,diagnostics

####Informationdisclosure

Ifthemechanismusedforlogging,interceptorsordiagnosticscrossesatrustboundaryanattackercanexploitavulnerabilitytocauseInformationdisclosureofthedatainqueriessenttothedatabase.

**Mitigation:**BydefaultEFwon'tincludesensitiveinformationinthecalltologging,interceptorsordiagnostics.Here,sensitiveinformationisthedatathatwouldbesentasparameters.Namesofusertypes,databaseobjectsandconstantsusedinthequeriesarenotconsideredsensitive.EFprovidesastrictersensitivitylevelthatwillalsocensorconstants.

###Modelbuilding

Modelbuildingisbasedonstaticcodeintheloadedassemblyandisconsidertobetrusted.

###TypeMapping

AtypemappingisaninternalobjectthatprovidesinformationonhowaCLRtypemapstoatypenativelysupportedbythetargetdatabase.

####Cachingconsiderations

Typemappingscanbecalculatedrepeatedlyforparameterscontaininguserinputofdifferentlengths,soanattackercanusethistoartificiallybloatthetypemappingcacheuptoasetsizeandpotentiallycauseDenialofservicefortheclientmachine.

Forexample,ifa `string`isprovidedbytheuserEFusesthelengthtodeterminewhetheritneedstobemappedtoSQLdatatypeofaspecificlength - `nvarchar(24)`orunbounded - `nvarchar(max)`.Byprovidingstringsofdifferentlengthstheuserwillcauseanewtypemappingtobecalculatedeachtime.

**Mitigation:**EFwilluseadifferenttypemappingcachingmechanismforqueryparametersandgrouptypemappingsinthecachebasedonalimitednumberofvaluesforthelength.

###Migrations

####MigrationslockDoS

Migrationapplicationcanhappenatruntimeandtakeadatabase-widelockthatcouldcausedelaysandpotentiallycauseDenialofservicefortheclientmachine.Forexample,theattackercouldspiketheloadfortheapplicationthatwouldcauseittoscaleout (ifconfigured)andthiscouldtriggermultipleconcurrentattemptstoapplythemigrations.

**Mitigation:** [Theguidance](https://learn.microsoft.com/ef/core/managing-schemas/migrations/applying#apply-migrations-at-runtime) is to only perform migration application once per deployment.

####Migrationselevationofprivilige

Migrationapplicationrequiresmorepermissionthanrequiredfornormalappoperation.Ifanattackerisablegaincontroloftheapporthecredentialstheywouldbeabletoinflictmoredamagethanotherwise.

**Mitigation:** [Theguidance](https://learn.microsoft.com/ef/core/managing-schemas/migrations/applying#apply-migrations-at-runtime) is to use separate credentials for applying migrations that allow DDL operations and restrict them for the normal app execution.

###CLITools

Thetoolsbuildandloadthedeveloper'sprojectcontainingthecontext,model-buildingcodeandmigrationsbeforerunninganyoperation.EFtoolsrelyonMSBuildtobuildthesupplytheexpectedassemblytoload.

###Providers,Plug-ins

EFextensibilityreliesonlyonstaticcodetoexplicitlyuseprovidersandplug-insthatcouldmodifytheruntimebehavior.

"commitSha":"23d4e5f6eadc48f12ce8cda6174e3a8b85e3c638"

},

{

"barId":283196,

"barId":283287,

"path":"efcore",

"remoteUri":"https://github.com/dotnet/efcore",

"commitSha":"f773207ec7ab883d453b7fdc295e0a21084c0418"

"commitSha":"8a9e809d66e46e1a33cb801c3cbfa3334311fe00"

},

{

"barId":283436,