Please report security vulnerabilities via GitHub Security Advisory. Do not open a public issue.
ezDDD.NET is a tactical DDD / CQRS library with zero third-party runtime dependencies. Its realistic attack surface is the path by which domain events and aggregates are rebuilt from persisted data: bytes read back from an event store or outbox table should be treated as untrusted input, and the library owns part of that reconstruction pipeline. The following list distinguishes what the maintainer will treat as a security issue from what is out of scope. Edge cases not listed here are welcome as a question on the advisory channel.
- JSON serialization and deserialization performed by the library itself —
JsonUtil(includingDeepCopy<T>) inEzDdd.Common, and the event persistence round-trip inDomainEventMapper/DomainEventDataBuilderinEzDdd.UseCase, all built onSystem.Text.Json. Crafted JSON payloads or poisoned event store contents that cause the library's own serialize / deserialize code path to behave unsafely (e.g., unexpected exception leakage, resource exhaustion amplified by library-internal choices) are in scope. - Event type resolution in
DomainEventTypeMapper(EzDdd.Entity). The mapper deliberately resolves stored type-name strings only through an explicit registration map — never viaType.GetTypeon attacker-controlled strings. Any way a crafted stored type name could cause the library to resolve or instantiate a type outside that registration map is in scope. - Reflection-based aggregate reconstruction in
EsRepository(EzDdd.UseCase), which locates a public replay constructor via cachedConstructorInfoand invokes it with the loaded event stream. If crafted event store data could cause the library to invoke members other than the documentedTAggregate(IEnumerable<IInternalDomainEvent>)constructor, or to bypass the aggregate's replay path, that is in scope. - Exception message content generated by the library, if that content unexpectedly discloses information beyond type names and the data the caller or the event store supplied.
- User-supplied domain logic.
When(),EnsureInvariant(), and use case implementations are the caller's code; the library replays events through them by design. Side effects, slow logic, or resource usage inside user domain code — including during event replay — are out of scope. - User implementations of the persistence and query SPIs (
IRepositoryPeer,IArchive, projector/notifier infrastructure, etc.). Securing the event store, outbox table, and message transport — including authentication, integrity, and access control of stored events — is the integrating application's responsibility. - Documented, expected exceptions.
InvalidOperationException,ArgumentException,RepositorySaveException, and uContract*ViolationExceptiontypes thrown on invalid input, unregistered event types, or invariant violations (see ADR-0011) are the library's correctness signal and not a fault. - Denial of service via caller-supplied data volume. Serializing huge object graphs, deep-copying large aggregates, or replaying very long event streams costs what it costs; the library's pipeline is a thin wrapper over
System.Text.Jsonand constructor invocation. - Vulnerabilities in uContract.NET itself (the only ecosystem dependency, see ADR-0004) — please report those upstream via the uContract.NET security advisory channel.