I'm building an application with a complicated security model. For each row, and for the majority of the persisted entities, I have to store several lists of roles, individual user ids, scopes and attributes.
I know that I can use duplicated fields to improve performance. But I would rather not store the described data with the entity. My concern is not as much with duplication but with the performance penalty of using JSON and the costs of serialisation/deserialization.
Marten uses metadata columns. Can I create my own Metadata Columns to support the security aspects of the app?
Marten's metadata columns are hard-coded in their source.
You could fork Marten and change the DocumentMetadata.cs hard-coded values and calls, or create a solution that lets a user configure these columns.
Related
Does anyone know if there are any known no SQL vulnerabilities with the 'Dynogels' library when interacting with a NO SQL database.
Not using any advanced queries, only bog standard with the existing methods. query(), where(), equals() etc.
Dynogels passes supplied filter/query values using the ExpressionAttributeValues structure, which is separate from the query structure itself (FilterExpression). This is analogous to using parameterized SQL queries, which pass parameters in a separate structure from the query itself.
In other words, as long as you only use untrusted input as filter values, injection that changes the query structure should not be possible:
// Assume "req.body" is untrusted input
Table.query(req.body.key)
.filter('somecolumn').equals(req.body.somecolumn)
.exec(callback);
The above is safe, as long as it is not an application-level vulnerability to allow the user to query for any key. In all of the contexts where untrusted input is used above, it cannot possibly affect the structure of the query.
Disclosure: I am one of the maintainers of dynogels. If you find a vulnerability, please disclose it to us privately so we can address it before publishing details publicly.
Maybe not really a known issue, but dealing with input data in general, and saving it into whatever database you always have to sanitise your data to prevent injections.
As you are dealing with JSON a lot in DynanmoDB, be especially careful when deserialising user input to JSON objects and inserting or updating these objects directly into a NoSQL database. For example make sure the user cannot add extra fields into the JSON object.
It al depends on how you validate your user input.
I think it is safe to say that NoSQL databases access the database more in terms of functions, and JSON objects. You have to worry less about SQL injections than traditional string based access (TSQL) databases.
The Users in my database will be related to many other entities. Is the recommended practice for doing this to have 1 db context for the app? Or, should there be two different ones. It seems that I could retrieve the context through the use of the GetOwinContext()
The standard practice with this is to keep all of your tables for your webapp in 1 database (1 context). One large advantage of this is that you can execute SQL joins based on data that is stored in your Identity tables.
Here is a use case: I have a fileupload entity and table which I need to relate to a specific user (the user that uploaded the file). If everything lives in one database then I can use foreign keys and entity framework navigation properties as I normally would. If I was using a separate database/context for the Identity provided tables, then I would need to query two different database (which is more costly performance-wise) to get my needed data. One query to DB1 to get my user Id and another query to DB2 to get the fileuploads which belong to this user Id
So in short, if you have users related to many other entities (which you mentioned) then I would strongly recommend using 1 database and context.
I have one project,need build more then 300 models, i want use EF codefirst.
But I think saved in one database Seems not so good.
so I want to know how to Save more then 300models to 5 database and use code first?
Do it right?
How to do it?
Have the mature example ?
how to query data by Navigate properties in tow models? They are not in same database,
I want query by lambda int these database like One database (on DbContext).
I am chinase .so English is very Bad.
I hope you can understand what I'm saying
The problem with splitting the models across multiple databases is that you cannot have foreign key relationships between the two databases.
If you are using multiple databases you will need to handle all the navigation yourself in code.
You should consider redesigning the database so that there are less base models and then using application level models to access the required models.
Another option is to use ubermodels keeping all 300 tables and then use application level models. This can be aided by techniques proposed in the article here on shrinking EF models that may help.
I have an app I am building in iOS, version 5. This app is using a WebAPI built with C# which calls SQL Server stored procedures. The WebAPI uses RESTful calls made to populate items within my iOS app which are returned to my iOS after an authentication challenge in JSON format. All of this works well. As a best practice I am interested in the best approach to consuming and returning data back to the database. Right now I have some custom classes or entities that represent the data returned from my service, for example, I pull all product data based on some category or subcategory and populate an array of type Product. This Product class matches the exact structure of the data returned, i.e. ProductID, ProductDescription, etc. I know this can be duplicated with SQLite and CoreData. What I am wondering is this. Does it make sense to use CoreData, if so, what advantages will I see in using CoreData.
Also, a second part to this question. For arrays of items that rarely change, does it make sense to place those items in pLists? An example of this type of data might be something like Units of Measure where quart, cup, gallon, etc would be listed in a UITableView for the user to select from but it's not likely that the application will need these values updated often if ever.
I would recommend RestKit. From RestKit website:
RestKit can populate Core Data associations for you, allowing natural
property based traversal of your data model. It also provides a nice
API on top of the Core Data primitives that simplifies configuration
and querying use cases.
It seems to meet your requirements.
I would not go for SQLite. It may seem easier but using RestKit with Core Data will give you a lot more.
Question
Should autoincremented identity columns have a non-default seed/increment when used in a RESTful web application?
Background
I'm working on my first ASP.NET MVC application and trying to keep my urls RESTful. There is no separate administrative web site for the application. I use attributes to control who can access what parts of the site and what menu items are visible to the current user based on their roles in the system. I (mostly) follow the ActiveRecord DB pattern and use synthetic ids for my tables, including the user table, with the ids being autogenerated identity columns.
It occurred to me this morning that there is a subtle security risk to using default seeds for identity columns in a RESTful application. If you assume that administrative ids, particularly the most powerful ones, are typically created first in an application, then it follows that they will be the lowest numbered ids in the system. While not actually opening a hole in the application, using default values for the seed/increment could make it easier for a cracker to attack a high value target simply by targeting low numbered ids using RESTful actions (such as ChangePassword -- which is one of the out-of-the-box actions in the ASP.NET MVC site template).
Should I add setting a non-default seed to, at least, my users table to my arsenal of security best practices? Is the effect of doing this worth it? Or am I being too paranoid? As a related question, should I be changing the out-of-the-box template names for account-related actions.
My advice is to use GUIDs instead of autoincrementing IDs. That gets rid of the "guessing game" altogether.
I have been very skepticle of using Guid's; however, as Lucerno points out it does help minimize the guessing game depending on how the Guid is generated and used. Guids generated using sequential from SQL Server, would not prevent the guessing game for example.
Guids are also very handy if your have a domain model and your using an ORM like nHibernate or even rolling your own. As it simplifies greatly the complexity of inserting the backreferences since all objects can be given their id's early on.
With that said if your Id's are included in the URL they should be treated as very public data. Even over HTTPS a devious attack could get the whole URL. If your page requests any third party content such as Google analytics for example, the url query string and all, is sent to the third party as the referer for example.
Keep the logged in user on the session on the server side rather than passing it to the client - that way the client can never alter the user id in a malicious query.
I've decided, for now, that I'll address the risk by changing the default seed for autoincrement columns. This isn't hard and won't change the character of the application or the ActiveRecord pattern. Since these columns are also used for foreign key relationships I want to keep them integers to make the indexes more efficient.
I'm not planning on change the default actions unless a different verb makes more sense. Having the interface be intuitive is more important than hiding the action behind an obscure name.