SQL Script CLR

SQL CLR

Posted by John Liu on Friday, July 7, 2023

Start from SQL2017, CLR strict security is enabled by default in SQL, and treats SAFE and EXTERNAL_ACCESS assemblies as if they were marked UNSAFE. One can disable CLR stric security option but that’s not recommended. Microsoft recommends assembily be signed by a certificate or asymmetric key with corresponding login that has been granted UNSAFE ASSEMBLY permission in the master database. DBA can aslo add assembliy to a trusted list by using sys.sp_add_trusted_assembly.

To create a CLR assembly under CLR strict security option, following conditions must meet:

-- the user must have CREATE ASSEMBLY permission.

-- One of the following must also be true:

    -- Assembly is signed with a certificate or asymmetric key that has a corresponding login with UNSAFE ASSEMBLY permission. Signing assembly is recommended.
    
    -- Database has TRUSTWORTHY set to ON, and database owner has UNSAFE ASSEMBLY permission on the server. This option is not recommended.

To use sys.sp_add_trusted_assembly, we need the SHA2_512 hash value of the assembly. We can install the assembly on a version of SQL prior to 2017 and then script it out with its binary string. Then we can use HASHBYTES function to generate the SHA2_512 hash value.

DECLARE @CLRDescription NVARCHAR(4000) = N'your assembly name, version=0.0.0.0, culture=neutral, publickeytoken=null, processorarchitecture=msil';
DECLARE @CLRBinary VARBINARY(MAX) = 0x000000000000;    --this is the script out assembly binary string
DECLARE @hash VARBINARY(64);
SET @hash = HASHBYTES('SHA2_512', @CLRBinary);
SELECT @hash;
 
EXECUTE sys.sp_add_trusted_assembly @hash, @CLRDescription
 
--SELECT * FROM sys.trusted_assemblies;
FEATURED TAGS
ai api automation availability availability-sets availability-zones aws-vm azure azure-automation-runbook azure-blob azure-cosmos-db azure-data-lake azure-deployment azure-function-app azure-functions azure-openai azure-sign-in azure-site-recovery azure-sql-database azure-subscription azure-vm base64 certificate change-data-capture change-tracking chrome clr container cte data-api-builder data-conversion data-gateway database-mail database-role database-size date-table dax db-config derived-table diagram direct-query disk-management disk-space docker downtime dtc dynamic-m-parameter embedding encrypted-connection excel excel-online excel-online-for-business execution-plan extended-events external-data fabric fabric-capacity failover-cluster fk geometry hierarchy httpwebrequest hugo hyper-v incognito-mode index infrastructure inline-tvf json kql lakehouse linked-server live-query-statistics locking m machine-learning machine-learning-model machine-learning-services master-key mcp mdx memory memory-grant mermaid mirrored-sql-server network network-card network-category office-script onedrive onnx-runtime openrowset p2v parquet performance polybase power-automate power-bi power-bi-report-tricks power-platform power-query powershell printer public-ip-address pyspark python qgis qt-designer query-performance query-plan query-troubleshooting r regex replication route s3 schema-design scripting self-signed-certificate server-role sharepoint snowflake software-development sofware-development spark sql sql-2025 sql-agent sql-availability-group sql-error sql-failover-cluster-instance sql-index sql-openjson sql-permission sql-recovery sql-script sql-security sql-server sql-server-admin sql-server-config sql-statistics ssis ssisdb ssl ssl/tls-error ssms table-expression tempdb terraform tips troubleshooting unicode view visual-studio visual-studio-code vmware wait-statistics wi-fi-connection-issue windows-settings