Security fixes

[bradsp]

This pull request updates all database and logging configuration values across the solution to use environment variable placeholders instead of hardcoded values. This change improves security and flexibility by allowing different environments (development, test, production) to be configured without modifying source code.

Configuration modernization and environment variable support:

• All database connection strings and related settings in App.config, .settings, and .Designer.cs files for both Lab PA WinForms UI and Lab Patient Accounting Job Scheduler projects now use placeholders (e.g., ${DB_SERVER}, ${DB_NAME}) instead of hardcoded values. This includes production, test, and logging databases. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19]

• All NLog database target connection strings across projects are updated to use environment variable placeholders for server, database, username, and password, supporting secure and dynamic logging configuration. [1] [2] [3]

Application logic and UI updates:

• The main menu in LabBillingConsole/Program.cs now displays generic database names ("Production Database", "Test Database") and fetches server/database names from environment variables, improving clarity and supporting dynamic configuration. [1] [2]

• The Tag property for the billing reports menu item in AuditReportsForm.Designer.cs is updated to use environment variable placeholders for server names, supporting flexible server selection in the UI.

These changes collectively support better configuration management and deployment practices.

[Copilot]

Pull Request Overview

This PR improves security by replacing hardcoded database credentials and server names with environment variable placeholders throughout the Lab Patient Accounting system configuration files. This change follows security best practices by removing sensitive information from source code and enabling environment-specific configuration management.

• Replaced all hardcoded database credentials, server names, and database names with environment variable placeholders (e.g., ${DB_SERVER}, ${DB_PASSWORD})
• Updated NLog database connection strings to use environment variables for secure logging configuration
• Modified application code to retrieve configuration values from environment variables with fallback defaults

Reviewed Changes

Copilot reviewed 12 out of 16 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
SECURITY_CONFIGURATION_REMEDIATION.md	Documentation detailing security remediation changes and required environment variables
Multiple .settings files	Database configuration values replaced with environment variable placeholders
Multiple NLog.config files	Logging database connection strings updated to use environment variables
Multiple App.config files	Application configuration updated with environment variable placeholders
LabBillingConsole/Program.cs	Menu display and database selection logic updated to use environment variables

Files not reviewed (4)

• Lab PA WinForms UI/Legacy Forms/AuditReportsForm.Designer.cs: Language not supported
• Lab PA WinForms UI/Properties/Settings.Designer.cs: Language not supported
• Lab Patient Accounting Job Scheduler/Settings.Designer.cs: Language not supported
• LabBillingService/Properties/Settings.Designer.cs: Language not supported

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

The environment variable ${LOG_DB_SERVER} is inconsistent with other logging configurations that use ${DB_SERVER}. This inconsistency could lead to configuration errors. Consider using ${DB_SERVER} to match the pattern used in other NLog.config files.

Suggested change

	connectionString="Data Source=${LOG_DB_SERVER};Initial Catalog=${LOG_DB_NAME};Integrated Security=true;Encrypt=false;Trust Server Certificate=true"
	connectionString="Data Source=${DB_SERVER};Initial Catalog=${LOG_DB_NAME};Integrated Security=true;Encrypt=false;Trust Server Certificate=true"

[cursor]

Bug: Environment Variable Fallback Uses Placeholder Strings

When environment variables are not set, the fallback logic uses literal placeholder strings (e.g., ${DB_SERVER}) for server and database names. This causes database connection failures as the application attempts to connect to servers literally named after these placeholders.

 

[cursor]

Bug: Configuration System Fails to Expand Environment Variables

The .NET Framework configuration system does not natively expand environment variable placeholders like ${VAR} in App.config or DefaultSettingValueAttribute. This causes the application to use these placeholders as literal strings, leading to database connection failures across the WinForms UI, Job Scheduler, and Billing Service.

Additional Locations (4)

• LabBillingService/App.config#L105-L122
• [Lab PA WinForms UI/App.config#L84-L106](https://github.com/bradsp/Lab-Patient-Accounting/blob/cdece52c60252974dc2e9589a44f13fdcc115ce9/Lab PA WinForms UI/App.config#L84-L106)
• LabBillingService/Properties/Settings.Designer.cs#L27-L64
• [Lab Patient Accounting Job Scheduler/Settings.Designer.cs#L27-L64](https://github.com/bradsp/Lab-Patient-Accounting/blob/cdece52c60252974dc2e9589a44f13fdcc115ce9/Lab Patient Accounting Job Scheduler/Settings.Designer.cs#L27-L64)