Flow Studio
Datasource Security
Connection string credential storage via ICredentialResolver, SQL injection prevention, read-only enforcement, and the datasource access control model.
Security Controls Summary
| Control | Mechanism | Applies To |
|---|---|---|
| Credential isolation | Connection strings stored via ICredentialResolver (credentialId int) | All datasource types |
| SQL injection prevention | Parameterized queries only; string interpolation blocked | SqlQueryNode |
| Read-only enforcement | SQL validator rejects non-SELECT statements | SqlQueryNode |
| Row limit cap | Hard cap of 500 rows enforced server-side | SqlQueryNode, RestDatasourceNode |
| Query timeout | 30s default, 120s max — prevents long-running queries blocking executors | SqlQueryNode |
| Access control | NodeCapabilityPolicy controls which tenants can use Datasources capability | All datasource types |
| Datasource allowlist | Tenants can be restricted to specific datasource IDs | All datasource types |
Credential Storage
// IDatasourceConnectionFactory resolves credentials at connection time:
public async Task<IDbConnection> OpenAsync(DatasourceDefinition datasource, CancellationToken ct)
{
var connectionString = await _credentials.GetPasswordAsync(datasource.CredentialId, ct);
var connection = _providerFactory.CreateConnection(datasource.Type);
connection.ConnectionString = connectionString;
await connection.OpenAsync(ct);
return connection;
}Datasource Allowlist (Tenant Policy)
{
"tenantId": "tenant-acme",
"allowedDatasourceIds": ["payroll-db", "erp-api"],
"blockedDatasourceIds": ["hr-legacy-db"]
}
Database credentials: Connection strings must be stored via
ICredentialResolver. Raw connection strings (including passwords) must never appear in node config, datasource definitions stored in configuration files, or environment variables accessible to workflow designers. A connection string in DatasourceDefinition config is a critical security defect.