c# - Document sniffing via Load<>? -


i'm using ravendb asp.net web api , i've noticed, it's possible query other documents load<type> method.

for example:

public class person {     public string id { get; set; }     public string fullname { get; set; }     /* other properties */ }  public class pet {     public string id { get; set; }     public string fullname { get; set; } }  [httpget] public person findbyid(string id) {     using (idocumentsession session = _docstore.opensession())     {         return session.load<person>(id);     } }

if call findbyid("pets/13") via ajax on web api method, i'm getting person object pet's entity data, because share common properties. how can avoid that? expose confidential data attackers.

even if properties don't match, object null properties returned exposing existance of entity given id.

my current workaround is:

[httpget] public person findbyid(string id) {     using (idocumentsession session = _docstore.opensession())     {         return session.load<person>("people/" + id.split('/')[1]);     } }

ids unique across documents. don't abuse that: you're calling session.load<person>, you're passing in id pet. don't that.

internally, raven doing this:

  1. "find json document id = 'pets/13'"
  2. got it! now, turn json document into...uh...the developer asked person.
  3. it kinda-sorta works person. return that, since developer told to.

basically, told raven return person, , did best could, turning pet json document person object, told do.

if you're concerned of malicious use of findbyid method, throw exception if id isn't person object:

[httpget] public person findbyid(string id) {     // we're concerned might call findbyid , fish non-person objects.     if (!id.startswith("people/"))     {         throw new argumentexception("naughty!");     }      using (idocumentsession session = _docstore.opensession())     {         return session.load<person>(id);     } }

Comments

Post a Comment

Popular posts from this blog

linux - xterm copying to CLIPBOARD using copy-selection causes automatic updating of CLIPBOARD upon mouse selection -

i've tried various ways coerce xterm (versions 285 , 292) copy selection clipboard clipboard whenever press ctrl-shift-c. promising way far has been, in ~/.xresources, put this: xterm*vt100.translations: #override \ ctrl shift <keypress> c: copy-selection(clipboard) \n\ ctrl shift <keypress> v: insert-selection(clipboard) ctrl-shift-v works perfectly, copying has nuance... if restart xterm, highlighting text puts things in primary clipboard; expected, proper, default behavior. if hit ctrl-shift-c, copies current selection clipboard clipboard. the bug, however, if highlight text after first time pressed ctrl-shift-c, you'll see highlighting copies both primary and clipboard. cannot figure out how stop xterm updating clipboard upon selection... , doesn't make sense me in first place. i said, @ specific point in time, copy selection clipboard... yet starts updating automatically upon selection after doing once... anyone have workaround...
Read more

c++ - qgraphicsview horizontal scrolling always has a vertical delta -

Image
i've subclassed qgraphicsview custom canvas used in cad application. i've reimplemented qgraphicsview::wheelevent check keyboard modifiers control key and, if control key pressed, zoom. i'm trying implement horizontal scroll when user holds shift , uses wheel. the problem i'm having horizontal scrolling always scrolls 0.279. not huge problem, hugely annoying , points else being wrong. so, here questions: is right way implement horizontal scrolling? if not, is? how eliminate delta of 0.279? thanks in advance. code , sample output below void myview::zoom(int delta) { double factor = pow(1.2, delta/abs(delta)); this->scale(factor, factor); } void myview::scrollhorizontal(int level) { qpointf center = maptoscene(viewport()->rect().center()); qdebug() << "center: " << center.x() << ", " << center.y(); centeron(qpointf(center.x() - level, center.y())); } void myview::wheelevent(qwheeleve...
Read more