Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[QUERY] BlobContainerClient is not restricted to a specific container #48284

Closed
mhichb opened this issue Feb 13, 2025 · 2 comments
Closed

[QUERY] BlobContainerClient is not restricted to a specific container #48284

mhichb opened this issue Feb 13, 2025 · 2 comments
Assignees
@amnguye
Labels
Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Service Attention Workflow: This issue is responsible by Azure service team. Storage Storage Service (Queues, Blobs, Files)

Comments

@mhichb
Copy link

mhichb commented Feb 13, 2025
edited
Loading

Library name and version

Azure.Storage.Blobs 12.23.0

Query/Question

For blob client / blob container client, there is no validation to not leave the original container, e.g. in the following example

var path = $"../{otherContainerName}/{pathInOtherContainer}";

var credential = new DefaultAzureCredential();
var blobServiceClient = new BlobServiceClient(new Uri($"https://{storageAccountName}.blob.core.windows.net/"), credential);
var blobContainerClient = blobServiceClient.GetBlobContainerClient(containerName);
var blobClient = blobContainerClient.GetBlobClient(path);
var result = await blobClient.DownloadContentAsync();

result will be filled with the actual content of the file, even though the blob is in another container.

Is it a deliberate choice in design to not validate whether the blob path is contained within the original container? From naming and the fact that a container name was provided in construction, one might think that the client cannot access anything outside the provided container.

In the current situation, it's pretty easy to forget to validate the path and thus become vulnerable to https://cwe.mitre.org/data/definitions/22.html

Providing such a validation library-side would be nice IMO.

Environment

No response
@github-actions github-actions bot added Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Service Attention Workflow: This issue is responsible by Azure service team. Storage Storage Service (Queues, Blobs, Files) labels Feb 13, 2025
@github-actions GitHub Actions
Copy link

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @xgithubtriage.

@amnguye amnguye self-assigned this Feb 13, 2025
@amnguye
Copy link
Member

amnguye commented Feb 14, 2025

The entire string of "$"../{otherContainerName}/{pathInOtherContainer}" would be considered the entire blob name/path in the code snippet you provided.

Since ".." and "/" are valid characters within the blob path. The SDK cannot automatically convert ".." as going back a parent directory. Unfortunately changing that behavior would be a breaking change, for customers who intentionally want this behavior.

The SDK cannot provide validation, as validation by the storage service can change. So by default we lean on the source of truth of validation which is the service.

For this scenario, I recommend creating a separate client for a different blob container.

@amnguye amnguye closed this as completed Feb 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@amnguye amnguye

Labels
Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Service Attention Workflow: This issue is responsible by Azure service team. Storage Storage Service (Queues, Blobs, Files)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@amnguye @mhichb