We release security updates for the following versions of DDAP:
| Version | Supported |
|---|---|
| 1.x | ✅ |
| < 1.0 | ❌ |
Please do not report security vulnerabilities through public GitHub issues.
If you discover a security vulnerability in DDAP, please report it responsibly:
-
Email: Send details to schivei@users.noreply.github.com
- Use subject line: "SECURITY: [Brief Description]"
-
Include:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact
- Suggested fix (if you have one)
- Your contact information
-
Do NOT:
- Disclose the vulnerability publicly before we've had a chance to address it
- Test the vulnerability on production systems you don't own
- Initial Response: Within 48 hours of submission
- Assessment: We'll assess the vulnerability and determine severity
- Updates: Regular updates on the progress of fixing the issue
- Resolution: We aim to release a patch within 30 days for critical vulnerabilities
- Credit: You'll be credited in the security advisory (unless you prefer to remain anonymous)
- We request a 90-day disclosure embargo to allow time for patching
- Once fixed, we'll publish a security advisory
- You're welcome to publish your findings after the advisory is released
Never hard-code connection strings or credentials:
// ❌ BAD: Hard-coded credentials
var connectionString = "Server=myserver;Database=mydb;User Id=sa;Password=MyPassword123;";
// ✅ GOOD: Use configuration
var connectionString = configuration.GetConnectionString("DefaultConnection");DDAP uses parameterized queries by default, but always verify:
// ✅ GOOD: Parameterized query (safe)
var entity = await connection.QueryFirstOrDefaultAsync<Entity>(
"SELECT * FROM Entities WHERE Id = @Id",
new { Id = id }
);
// ❌ BAD: String concatenation (vulnerable)
var entity = await connection.QueryFirstOrDefaultAsync<Entity>(
$"SELECT * FROM Entities WHERE Id = {id}"
);When using DDAP with authentication:
// Always validate user permissions before database operations
services.AddAuthorization(options =>
{
options.AddPolicy("CanReadEntities", policy =>
policy.RequireAuthenticatedUser()
.RequireClaim("permission", "entities.read"));
});Always validate and sanitize user input:
public class CreateEntityRequest
{
[Required]
[StringLength(100, MinimumLength = 1)]
public string Name { get; set; }
[Range(0, int.MaxValue)]
public int Value { get; set; }
}- Keep DDAP and all dependencies up to date
- Review Dependabot pull requests promptly
- Monitor security advisories
Never log sensitive information:
// ❌ BAD: Logs sensitive data
_logger.LogInformation($"User login: {email}, Password: {password}");
// ✅ GOOD: Logs safely
_logger.LogInformation($"User login attempt for: {email}");DDAP provides direct database access. Applications using DDAP must:
- Implement proper authorization - DDAP doesn't enforce permissions
- Validate all input - Prevent SQL injection and other attacks
- Use secure connections - Enable SSL/TLS for database connections
- Follow least privilege - Database users should have minimal permissions
When exposing DDAP-generated APIs:
- Enable authentication - Don't expose APIs publicly without auth
- Use HTTPS - Always encrypt data in transit
- Implement rate limiting - Prevent abuse
- Validate input - Don't trust client data
Security updates are released as:
- Critical: Immediate patch release (1.x.y → 1.x.y+1)
- High: Patch in next minor release
- Medium/Low: Included in regular releases
Subscribe to:
- GitHub Security Advisories for this repository
- GitHub Watch notifications
- Release notes
- Parameterized Queries: All database operations use parameters by default
- Connection Pooling: Secure connection management
- No Eval/Dynamic SQL: No dynamic SQL generation from user input
- Type Safety: Strong typing prevents many injection attacks
We recommend using DDAP with:
- Authentication: ASP.NET Core Identity, JWT, OAuth
- Authorization: Policy-based authorization
- Rate Limiting: AspNetCoreRateLimit
- WAF: Web Application Firewall in production
- Monitoring: Application Insights, Serilog
We thank the security research community for responsible disclosure and helping keep DDAP secure.
Last Updated: January 2026
Contact: schivei@users.noreply.github.com