This issue is classified as MEDIUM severity due to the potential performance degradation caused by incorrect parameter types in Dapper queries. The real-world impact can be significant, but it does not involve data leakage or unauthorized access; mitigating this involves adjusting query parameters.
Dapper queries with implicit type conversion from string to nvarchar(4000) can cause significant CPU overhead and prevent SQL Server index usage, affecting applications using Dapper for database interactions.
Affected Systems
- Dapper
Affected Versions: All versions where DbType.AnsiString is not explicitly specified for varchar columns
Remediation
- Use DynamicParameters with DbType.AnsiString and specify the size to match the column definition: var parameters = new DynamicParameters(); parameters.Add("productCode", productCode, DbType.AnsiString, size: 100);
- Alternatively, use DbString for anonymous objects: new { productCode = new DbString { Value = productCode, IsAnsi = true, Length = 100 } }
Stack Impact
This affects applications using Dapper for SQL Server database interactions. It does not directly impact nginx, docker, linux kernel, openssh, curl, openssl, python, or homelab components.