Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Breeze.js - Securing IQueryable calls

Tags:

security

iqueryable

breeze

I'm rather new at this, but I've come to understand the security risks of using Breeze to expose an IQueryable<>. Would someone please suggest to me some best practices (or merely some recommendations) for securing an IQueryable collection that's exposed in the JavaScript? Thanks.

like image 247
CCPony Avatar asked Dec 13 '12 15:12

CCPony

2 Answers

I would not expose any data via IQueryable that should nto be sent to the client via a random query. So a projection could be exposed or a DTO.

I'm not sure if this answers your question tho ... What "security risks" are you worried about?

like image 168
John Papa Avatar answered Nov 09 '22 12:11

John Papa

I second this question, too. But to add some specifics along the questions that Ward asked:

In securing queryable services, two traditional issues come to mind:

1) Vertical security: Which items is the currently logged in user (based on user identity or roles) NOT allowed to see in the UI. Those need to be removed from the queryable list. IMO, this can be done as part of the queryable ActionFilter magic by chaining some exclude logic on the returned IQueryable. 2) Horizontal security: Some models contain fields that are not appropriate for the logged in user to see (and/or edit). This is more difficult to handle as it's not a matter of just removing instances from the returned IQueryable. The returned class has a different shape and therefore can be handled either by the json formatter omitting the fields based on security (which AFAIK screws up breeze meta data) or you return a DTO in which case since the DTO doesn't exist in the metadata it's not a full life cycle (updatable) class? (I am asking this not stating it)

I would like to see either built-in support or easy to implement recipes for number 2). Perhaps some sample code to amend the client side metadata to make DTOs work perfectly fine comingled with model objects. The newset VS 2012 SPA templates (in the TodoList app) seem to push DTO variants of the model object both on the queryable and insert/update side. This is similar to the traditional MVC modelviews...

Finally - I'd add a request to auto-handling of the overposting security issue for inserts and updates. This is the reciprocal aspect of 2). Some users should not be able to edit certain fields.

like image 24
t316 Avatar answered Nov 09 '22 12:11

t316
Sign in to Comment

Related questions

Securing AJAX Requests via GUID
How to securely store database connection details
kerberos from Java - getting a Subject for the currently authenticated user
Why is my mprotect function called with 5 arguments?
How do I protect my Flash/Flex SWF with code?
Question about debugger security
An old flaw in X Window System. How does it work?
Security strategies for storing password on disk
How to determine if a directory path was SUBST'd
How to prevent the most number of cheaters for polls?
Things to consider while implementing an original website architecture
How to access authentication alias from EJB deployed to Websphere 6.1
jBCrypt serious issue with checkpw (return true when it shouldn't?)
Testing against hacking attempts
Apache Shiro "with JSF 2.0" ! How does it go?
How can I write an application which utilizes Intel IPT hardware?
Safe way to save encryption keys in iOS
How to calculate the time needed to calculate a SHA-256 hash?
Reading ActivityManager-logs on a Jelly Bean device?
Template to perform automatic memory overwrite on destruction

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!