aspnetmvc-405181-security-considerations-prevent-unauthorized-operations.md
Follow strategies outlined in this help topic to prevent unauthorized server-side operations (and address CWE-284 and CWE-285 security risks).
DevExpress ASP.NET MVC extensions allow data editing by default. To use these extensions in read-only mode, ensure that mapped controllers do not implement actions that modify extension data. Otherwise, a threat actor can send a POST request that calls such a controller action.
To conditionally enable/disable read-only mode (for instance, to only enable delete operations for an admin account), check the condition within the corresponding controller action:
public partial class GridViewController : Controller {
[ValidateInput(false)]
public ActionResult GridViewPartial() {
return PartialView("GridViewPartial", NorthwindDataProvider.GetProducts());
}
[HttpPost, ValidateInput(false)]
public ActionResult GridViewAddNewPartial(Product product) {
// Validate user access permissions here
if (ModelState.IsValid)
SafeExecute(() => NorthwindDataProvider.InsertProduct(product));
else
ViewData["EditError"] = "Please, correct all errors.";
return GridViewPartial();
}
[HttpPost, ValidateInput(false)]
public ActionResult GridViewUpdatePartial(Product product) {
// Validate user access permissions here
if (ModelState.IsValid)
SafeExecute(() => NorthwindDataProvider.UpdateProduct(product));
else
ViewData["EditError"] = "Please, correct all errors.";
return GridViewPartial();
}
[HttpPost, ValidateInput(false)]
public ActionResult GridViewDeletePartial(int productID = -1) {
// Validate user access permissions here
if (productID >= 0)
SafeExecute(() => NorthwindDataProvider.DeleteProduct(productID));
return GridViewPartial();
}
}
This section describes how you can disable file management-related operations when using DevExpress MVC Extensions.
By default, the DevExpress File Manager extension only allows users to upload files (while other file management operations are disabled). To enable/disable a specific operation, specify one or more of the following:
Always specify access rules and security permissions to restrict operations for individual files or folders. The following example allows users to download files from all folders except the System folder:
@model string
@using (Html.BeginForm()) {
@Html.Partial("FileManagerPartial", Model)
}
@Html.DevExpress().FileManager(settings => {
settings.Name = "fileManager";
settings.DownloadRouteValues = new { Controller = "FileManager", Action = "DownloadFiles" };
settings.CallbackRouteValues = new { Controller = "FileManager", Action = "FileManagerPartial" };
settings.SettingsEditing.AllowDownload = true;
settings.SettingsUpload.Enabled = false;
settings.SettingsPermissions.AccessRules.Add(new FileManagerFolderAccessRule { Path = "System", Edit = Rights.Deny });
settings.SettingsPermissions.AccessRules.Add(new FileManagerFileAccessRule { PathPattern = "System\\*", Download = Rights.Deny });
// ...
}).BindToFolder(Model).GetHtml()
public class FileManagerController : Controller {
public ActionResult FileManager() {
return View("FileManager", (object)FileManagerHelper.myRootFolder);
}
public ActionResult FileManagerPartial() {
return PartialView("FileManagerPartial", (object)FileManagerHelper.myRootFolder);
}
public FileStreamResult DownloadFiles() {
return FileManagerExtension.DownloadFiles(
FileManagerHelper.CreateFileManagerDownloadSettings(),
(string)FileManagerHelper.myRootFolder
);
}
}
public class FileManagerHelper {
public static string myRootFolder = Path.Combine(@"Content\", "Common files");
public static DevExpress.Web.Mvc.FileManagerSettings CreateFileManagerDownloadSettings() {
var settings = new DevExpress.Web.Mvc.FileManagerSettings();
var editingSettings = new FileManagerSettingsEditing(null) {
AllowDownload = true
};
settings.SettingsEditing.Assign(editingSettings);
settings.Name = "FileManager";
return settings;
}
}
Our MVC Rich Text Editor extension allows users to create, open, save, print, and download documents using built-in UI elements or keyboard shortcuts. To disable file management operations and hide corresponding UI elements, set the following to Hidden:
The following code sample disables file management operations within our MVC Rich Text Editor:
@Html.DevExpress().RichEdit(settings => {
settings.Name = "RichEdit";
settings.CallbackRouteValues = new { Controller = "Home", Action = "RichEditPartial" };
settings.Settings.Behavior.CreateNew = DevExpress.XtraRichEdit.DocumentCapability.Hidden;
settings.Settings.Behavior.Download = DevExpress.XtraRichEdit.DocumentCapability.Hidden;
settings.Settings.Behavior.Open = DevExpress.XtraRichEdit.DocumentCapability.Hidden;
settings.Settings.Behavior.Printing = DevExpress.XtraRichEdit.DocumentCapability.Hidden;
settings.Settings.Behavior.Save = DevExpress.XtraRichEdit.DocumentCapability.Hidden;
settings.Settings.Behavior.SaveAs = DevExpress.XtraRichEdit.DocumentCapability.Hidden;
}).Open(Server.MapPath("~/App_Data/Documents/Overview.rtf")).GetHtml()
The DevExpress MVC Spreadsheet extension allows users to create, open, save, print, and download documents using built-in UI elements or keyboard shortcuts. To disable file management operations and hide corresponding UI elements, set the following to Hidden:
The following code sample disables file management operations within our MVC Spreadsheet extension:
@Html.DevExpress().Spreadsheet(settings => {
settings.Name = "Spreadsheet";
settings.CallbackRouteValues = new { Controller = "Home", Action = "SpreadsheetPartial" };
settings.Settings.Behavior.CreateNew = DevExpress.XtraSpreadsheet.DocumentCapability.Hidden;
settings.Settings.Behavior.Open = DevExpress.XtraSpreadsheet.DocumentCapability.Hidden;
settings.Settings.Behavior.Print = DevExpress.XtraSpreadsheet.DocumentCapability.Hidden;
settings.Settings.Behavior.Save = DevExpress.XtraSpreadsheet.DocumentCapability.Hidden;
settings.Settings.Behavior.SaveAs = DevExpress.XtraSpreadsheet.DocumentCapability.Hidden;
}).Open(Server.MapPath("~/App_Data/Documents/MonthlyBudget.xlsx")).GetHtml()