Protecting C# Applications That Use Automapper
Published on November 18, 2020 by John Brawner
AutoMapper is an object-to-object mapping system used by many of our customers. It aims to simplify and organize code responsible for sharing instance values from an object of one type to an object of a different type.
When applying protection, it is important to note how properties of mapped objects have been configured by AutoMapper. If explicit property mappings have been provided for mapped objects, protection will work without additional configuration. On the other hand, if properties have not been explicitly mapped, you must exclude them from Dotfuscator’s Renaming transform to ensure proper runtime behavior.
Please consider the following example.
I’ve mapped two objects, Customer and CustomerDTO. I have not explicitly mapped individual properties because they have the same name in source. AutoMapper will gather property names via reflection at runtime:
I have also mapped two other objects: Employee and EmployeeDTO. I have provided mappings for the properties, as their names differ in source:
When I build and run the protected application, notice my customer name is displayed correctly, but my Employee name yields an empty result.
In order to prevent this, I will exclude properties of both Customer and CustomerDTO from Dotfuscator’s Renaming transform.
After doing so, we see correct results for both Employee and Customer:
When protecting an application that uses AutoMapper, you should ensure one of the two conditions are true:
1. Properties are explicitly mapped when configuring AutoMapper, OR
2. Property names of mapped objects have been excluded from Dotfuscator’s Renaming transform.
The full example can be downloaded here.
If you have any feedback on this topic, or other topics you would like us to discuss in the Support Corner, please feel free to contact our Support Department.