3

I was following this tutorial for me to be familiar with ASP.NET core and other related tech. https://www.codeproject.com/articles/997216/restful-day-sharp-resolve-dependency-of-dependenci

He mentioned that referencing the DataModel in WebApi project is not a good practice for security reasons. So I did follow him and to my suprise, I can still access classes on DataModel in my WebApi project just by indirectly referencing it via Services.

Below screenshot will show the relationships of the projects to be more clear (from the tutorial).

https://www.codeproject.com/KB/aspnet/990492/image028.jpg

And my actual references on my WebApi project below.

WebApi's references

I'm still quite new to .NET and would like to know if that is an expected behavior or this can lead to any security risks.

Lawrence
  • 334
  • 2
  • 12

1 Answers1

2

Is this expected behavior?

Yes. This is what's known as a transitive dependency. Your project can reference the packages referenced by its dependencies, as if the project depended on those packages themselves. This is expected behavior; see: Transitive references in .Net Core 1.1

Can this lead to any security risks?

Not likely. You shouldn't rely on things like package dependency rules to keep your code secure. Instead, make sure your code is written with security in mind - always sanitize user input, use parameterized queries, enforce authorization on the server side, and so on.

Should I rely on transitive dependencies?

Your apps/libraries shouldn't rely on transitive dependencies, because they could disappear on you without any warning (if one of your dependencies changes its dependencies). Instead, be explicit and make any package your code relies on into a proper dependency.

Community
  • 1
  • 1
Nate Barbettini
  • 51,256
  • 26
  • 134
  • 147
  • 1
    That definitely answered my question though I'm still half-hearted how should I feel about this as it somehow looks, I guess messy? Anyway, thanks for your answer! I'll look around more now that I know the "transitive" term used for this behavior. :) – Lawrence Mar 08 '17 at 18:07
  • @Lawrence I agree, it may not be _insecure_ per se, but it is messy. I'll update my answer with a little more color. Glad it was helpful. :) – Nate Barbettini Mar 08 '17 at 18:40
  • 1
    _Your apps/libraries shouldn't rely on transitive dependencies_ the problem is Visual Studio will happily suggests to use transitive dependencies types without any warning that they're defined in an indirect dependency, you have no way of knowing that. You _could_ be aware you're doing that is by noticing an "incorrect" `using` appearing at the top of the file (that is unless the type lives in an "extension" of an already `using`-ed namespace, then you're out of luck). – Albireo Apr 20 '17 at 10:31