Security of Data Generators

  • Article

Data generation plans and custom data generators are designed to be shared in a team environment. Before you share data generation files, you must consider whether any security threats exist.

Data generators have the following security concerns:

  • Data generation files contain schema information.

  • Data generations plans are vulnerable to arbitrary Transact-SQL (T-SQL) insertions in data bound generator queries.

  • Custom data generators contain database connection information

  • Custom data generators are vulnerable to arbitrary code insertions.

  • Custom data generator installers are vulnerable to arbitrary code insertions.

Data Generation Plans and Schema Information

When you create a data generation plan, the .dgen file contains the schema of the tables. Database schema information may be considered a sensitive trade secret. When you share a .dgen file, the person you share the file with can see your schema.

Only share data generation plans with trusted sources.

Data Generation Plans and Malicious Code

When a data generation plan contains a data bound generator, you write a T-SQL query that is run when the plan is run. This allows arbitrary T-SQL to be run from within a data generation plan.

Be sure you obtain data generation plans from trusted sources, and warn end users not to run data generation plans they receive from non-trusted sources.

Custom Data Generators and Connection Information

All custom data generators have access to the database connection string at run time. A malicious custom generator could expose the connection string information.

Be sure you obtain custom data generators from trusted sources, and warn end users not to use custom data generators they receive from non-trusted sources.

Custom Data Generators and Malicious Code

Custom data generators are classes that can contain arbitrary code. When you use a custom data generator, it runs with the same permissions as the active user. This can run malicious code in FullTrust mode.

Be sure you obtain custom data generators from trusted sources, and warn end users not to use custom data generators they receive from non-trusted sources.

Custom Data Generator Installers and Malicious Code

You can create deployment projects to install custom data generators. Deployment projects can contain arbitrary code. When you run an installer for a custom data generator, the installer runs with increased privileges. This can run malicious code with increased privileges.

Be sure you obtain custom data generator installers from trusted sources, and warn end users not to run custom data generator installers they receive from non-trusted sources.

See Also

Concepts

Overview of Generating Data

Other Resources

Generating Data with Data Generators
Data Generation Plans
Using Standard Generators
Creating Custom Generators
An Overview of Data Generator Extensibility