Reports using the Compilation calculation mode offer the capability to execute various scripts implemented using the report scripting language. However, these scenarios are not always secure and can potentially lead to negative situations from a cybersecurity perspective. After analyzing the situation, we have decided to enhance the security policy concerning reports in compilation mode. But let's take it one step at a time. By the way, this article presents a detailed comparison of calculation modes.
1) The Ask value allows defining behavior based on user selection. In other words, when attempting to open a report with compilation, the user will need to choose one of the options:
2) The Allow value allows loading compilation reports into the designer or viewer without any notification. This is the most unsafe mode because the user will not be alerted to potential risks when opening reports.
3) The Force Interpretation value compels the Interpretation calculation mode for all reports when opened in the designer or viewer.
4) The Deny value makes it impossible to open reports with the Compilation calculation mode in the designer or viewer. In this case, a restriction message will be displayed to the user.
Additionally, for Stimulsoft components, you can define the behavior when opening reports with compilation using various options. For example:
Options may not be available for some components. For instance, the CompilationAccess option for JS components is not applicable, as the reporting tool for JavaScript lacks a compilation mode, and all reports are loaded in interpretation mode.
The first level of protection
The issue arises when generating new reports and dashboards, as the default report calculation mode is set to Interpretation. If needed, you can modify it at any point. To do so, adjust the "Calculation Mode" report template property to Compilation and, after reading the warning message, click the "Switch to Compilation" button.The second level of protection
The issue lies in the fact that by utilizing the parameter and its various values, you can define the behavior for opening reports with compilation in the designer or viewer. You can customize the behavior when accessing compilation reports by using the Compilation Access option on the Main tab of the Report Designer Options menu. The behavior will be determined based on the selected value. Let's examine them in more detail.1) The Ask value allows defining behavior based on user selection. In other words, when attempting to open a report with compilation, the user will need to choose one of the options:
- Open in Safe Mode, meaning the calculation mode for the report will be forcibly set to Interpretation;
- Open, loading the report with the Compilation calculation mode, along with all potential risks associated with executing unsafe scripts;
- Cancel, halting the loading of the report with compilation into the designer or report viewer.
2) The Allow value allows loading compilation reports into the designer or viewer without any notification. This is the most unsafe mode because the user will not be alerted to potential risks when opening reports.
3) The Force Interpretation value compels the Interpretation calculation mode for all reports when opened in the designer or viewer.
4) The Deny value makes it impossible to open reports with the Compilation calculation mode in the designer or viewer. In this case, a restriction message will be displayed to the user.
Additionally, for Stimulsoft components, you can define the behavior when opening reports with compilation using various options. For example:
StiOptions.Designer.CompilationAccess == StiCompilationAccess.Allow;Options may not be available for some components. For instance, the CompilationAccess option for JS components is not applicable, as the reporting tool for JavaScript lacks a compilation mode, and all reports are loaded in interpretation mode.
Therefore, understanding and implementing these simple measures to protect against undesired scenarios will significantly enhance security when using Stimulsoft products.