Security of Data Generators
Data generation plans and custom data generators are designed to be shared in a team environment. Before you share data generation files, you must consider whether any security threats exist.
Data generators have the following security concerns:
Data generation files contain schema information.
Data generations plans are vulnerable to arbitrary Transact-SQL (T-SQL) insertions in data bound generator queries.
Custom data generators contain database connection information
Custom data generators are vulnerable to arbitrary code insertions.
Custom data generator installers are vulnerable to arbitrary code insertions.
Data Generation Plans and Schema Information
When you create a data generation plan, the .dgen file contains the schema of the tables. Database schema information may be considered a sensitive trade secret. When you share a .dgen file, the person you share the file with can see your schema.
Only share data generation plans with trusted sources.
Data Generation Plans and Malicious Code
When a data generation plan contains a data bound generator, you write a T-SQL query that is run when the plan is run. This allows arbitrary T-SQL to be run from within a data generation plan.
Be sure you obtain data generation plans from trusted sources, and warn end users not to run data generation plans they receive from non-trusted sources.
Custom Data Generators and Connection Information
All custom data generators have access to the database connection string at run time. A malicious custom generator could expose the connection string information.
Be sure you obtain custom data generators from trusted sources, and warn end users not to use custom data generators they receive from non-trusted sources.
Custom Data Generators and Malicious Code
Custom data generators are classes that can contain arbitrary code. When you use a custom data generator, it runs with the same permissions as the active user. This can run malicious code in FullTrust mode.
Be sure you obtain custom data generators from trusted sources, and warn end users not to use custom data generators they receive from non-trusted sources.
Custom Data Generator Installers and Malicious Code
You can create deployment projects to install custom data generators. Deployment projects can contain arbitrary code. When you run an installer for a custom data generator, the installer runs with increased privileges. This can run malicious code with increased privileges.
Be sure you obtain custom data generator installers from trusted sources, and warn end users not to run custom data generator installers they receive from non-trusted sources.
See Also
Concepts
An Overview of Data Generator Extensibility
Other Resources
Generating Data with Data Generators