I can access libraries not referenced directly

Question

I was following this tutorial for me to be familiar with ASP.NET core and other related tech. https://www.codeproject.com/articles/997216/restful-day-sharp-resolve-dependency-of-dependenci

He mentioned that referencing the DataModel in WebApi project is not a good practice for security reasons. So I did follow him and to my suprise, I can still access classes on DataModel in my WebApi project just by indirectly referencing it via Services.

Below screenshot will show the relationships of the projects to be more clear (from the tutorial).

https://www.codeproject.com/KB/aspnet/990492/image028.jpg

And my actual references on my WebApi project below.

I'm still quite new to .NET and would like to know if that is an expected behavior or this can lead to any security risks.

Answer 1

Is this expected behavior?

Yes. This is what's known as a transitive dependency. Your project can reference the packages referenced by its dependencies, as if the project depended on those packages themselves. This is expected behavior; see: Transitive references in .Net Core 1.1

Can this lead to any security risks?

Not likely. You shouldn't rely on things like package dependency rules to keep your code secure. Instead, make sure your code is written with security in mind - always sanitize user input, use parameterized queries, enforce authorization on the server side, and so on.

Should I rely on transitive dependencies?

Your apps/libraries shouldn't rely on transitive dependencies, because they could disappear on you without any warning (if one of your dependencies changes its dependencies). Instead, be explicit and make any package your code relies on into a proper dependency.