"
ASP.NET (snapshot 2017) Microsoft documentation and samples

Security Guidance for ASP.NET Web API 2 OData

by Mike Wasson

This topic describes some of the security issues that you should consider when exposing a dataset through OData.

EDM Security

The query semantics are based on the entity data model (EDM), not the underlying model types. You can exclude a property from the EDM and it will not be visible to the query. For example, suppose your model includes an Employee type with a Salary property. You might want to exclude this property from the EDM to hide it from clients.

There are two ways to exlude a property from the EDM. You can set the [IgnoreDataMember] attribute on the property in the model class:

[!code-csharpMain]

   1:  public class Employee
   2:  {
   3:      public string Name { get; set; }
   4:      public string Title { get; set; }
   5:      [IgnoreDataMember]
   6:      public decimal Salary { get; set; } // Not visible in the EDM
   7:  }

You can also remove the property from the EDM programmatically:

[!code-csharpMain]

   1:  var employees = modelBuilder.EntitySet<Employee>("Employees");
   2:  employees.EntityType.Ignore(emp => emp.Salary);

Query Security

A malicious or naive client may be able to construct a query that takes a very long time to execute. In the worst case this can disrupt access to your service.

The [Queryable] attribute is an action filter that parses, validates, and applies the query. The filter converts the query options into a LINQ expression. When the OData controller returns an IQueryable type, the IQueryable LINQ provider converts the LINQ expression into a query. Therefore, performance depends on the LINQ provider that is used, and also on the particular characteristics of your dataset or database schema.

For more information about using OData query options in ASP.NET Web API, see Supporting OData Query Options.

If you know that all clients are trusted (for example, in an enterprise environment), or if your dataset is small, query performance might not be an issue. Otherwise, you should consider the following recommendations.



Comments ( )
Link to this page: //www.vb-net.com/AspNet-DocAndSamples-2017/aspnet/web-api/overview/odata-support-in-aspnet-web-api/odata-security-guidance.htm
< THANKS ME>