Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Breeze.js - Securing IQueryable calls

I'm rather new at this, but I've come to understand the security risks of using Breeze to expose an IQueryable<>. Would someone please suggest to me some best practices (or merely some recommendations) for securing an IQueryable collection that's exposed in the JavaScript? Thanks.

like image 247
CCPony Avatar asked Dec 13 '12 15:12

CCPony


2 Answers

I would not expose any data via IQueryable that should nto be sent to the client via a random query. So a projection could be exposed or a DTO.

I'm not sure if this answers your question tho ... What "security risks" are you worried about?

like image 168
John Papa Avatar answered Nov 09 '22 12:11

John Papa


I second this question, too. But to add some specifics along the questions that Ward asked:

In securing queryable services, two traditional issues come to mind:

1) Vertical security: Which items is the currently logged in user (based on user identity or roles) NOT allowed to see in the UI. Those need to be removed from the queryable list. IMO, this can be done as part of the queryable ActionFilter magic by chaining some exclude logic on the returned IQueryable. 2) Horizontal security: Some models contain fields that are not appropriate for the logged in user to see (and/or edit). This is more difficult to handle as it's not a matter of just removing instances from the returned IQueryable. The returned class has a different shape and therefore can be handled either by the json formatter omitting the fields based on security (which AFAIK screws up breeze meta data) or you return a DTO in which case since the DTO doesn't exist in the metadata it's not a full life cycle (updatable) class? (I am asking this not stating it)

I would like to see either built-in support or easy to implement recipes for number 2). Perhaps some sample code to amend the client side metadata to make DTOs work perfectly fine comingled with model objects. The newset VS 2012 SPA templates (in the TodoList app) seem to push DTO variants of the model object both on the queryable and insert/update side. This is similar to the traditional MVC modelviews...

Finally - I'd add a request to auto-handling of the overposting security issue for inserts and updates. This is the reciprocal aspect of 2). Some users should not be able to edit certain fields.

like image 24
t316 Avatar answered Nov 09 '22 12:11

t316