CodeSmith Project .csp ConnectionStrings Security Tip

I’m working on a CodeSmith template package for distribution that includes a Project .CSP file.  It will be important to set as many property defaults as possible to help people get up to speed with the templates, so I made an effort to set defaults across the board.

I noticed an aspect of how the CSP stores default values that may be something to watch out for if you ever distribute CodeSmith CSPs.  The CSP project properties are stored in XML.  Works great, but if your project uses a SQL object from a data source, that data source connection info will be stored in the CSP as XML.  You share that CSP and you share your connection string.  You would never see the connection string in the CodeSmith UI, but it’s viewable when opening the CSP in a text editor.

I noticed this on a machine running CodeSmith 4.1.3, so for completeness I checked on a machine running CodeSmith 5.0.  The connection strings are stored differently in 4.x and 5.x, but they’re present in both.

<property name=”SourceTable”>
    <connectionString>server=(local);uid=some_user;pwd=some_password;
        Trusted_Connection=yes;database=some_database</connectionString>
               <providerType>SchemaExplorer.SqlSchemaProvider,
                   SchemaExplorer.SqlSchemaProvider</providerType>
     <table>
      <owner>dbo</owner>
      <name>dbvt_sometable</name>
    </table>
</property>

Retaining property settings was added in CodeSmith 4.0 and it made life so much better. I’m cool with the connectionString being stored this way personally, since I know how much time I save by not having to re-establish connections. This is something to keep in mind, however, when distributing CodeSmith Project CSPs.

Article written by

A long time developer, I was an early adopter of Linux in the mid-90's for a few years until I entered corporate environments and worked with Microsoft technologies like ASP, then .NET. In 2008 I released Sueetie, an Online Community Platform built in .NET. In late 2012 I returned to my Linux roots and locked in on Java development. Much of my work is available on GitHub.