Open in app

Sign in

Write

Sign in

OData Security

Avinash Karat
3 min readMay 9, 2021

--

Hi guys, welcome to the second part of OData. In this post, I am going to cover some basic scenarios of OData security. Often we might come across scenarios in which we want to limit what the user input with OData filters. Or we can validate the query conditions provided by the users. Listing out different scenarios below:

Scenario1:- Allowing certain query operation only

You can limit your action to only allow a specific query only. For example, query that contains $top and $skip.

This can be easily done using an simple property called AllowedQueryOptions.

[Queryable(AllowedQueryOptions = AllowedQueryOptions.Skip | AllowedQueryOptions.Top)]

And the test result is :

here we can see that the system rejected the OData operation.

Scenario 2: Only want to order the results by certain property, nothing else

Order by any arbitrary properties could be slow and unwanted. Now we have a simple way to do that using AllowedOrderbyProperties.

[EnableQuery(AllowedOrderByProperties = “Name”)]

Now a request to https://localhost:44365/api/Bay/GetaAll/f20d7f05-8c93-42a7-b951-df8505b69de3/?$orderby=SortOrder will fail since it can’t be ordered by SortOrder property.

Test Result:

Scenario 4: Limit the value for $top

In the client driven paging scenario, sometimes the server might want to limit the maximum number of records that the client wants to request using $top. You can use MaxTop property in this case. For demo purpose, I have limited the maximum top values that can be returned to 2 in Bay controller’s GetAll method.

[EnableQuery(MaxTop = 2)]

And the results are:

Scenario 5: Only need eq comparison in $filter

If you know that your trusted clients only uses equal comparison inside the $filter. You should validate that as well using AllowedLogicalOperators. Here is how you can do it.

[EnableQuery(AllowedLogicalOperators = AllowedLogicalOperators.Equal)]

Now a request to https://localhost:44365/api/Bay/GetaAll/f20d7f05-8c93-42a7-b951-df8505b69de3?$filter=name eq ‘Bay 1’

will succeed, while a request to https://localhost:44365/api/Bay/GetaAll/f20d7f05-8c93-42a7-b951-df8505b69de3?$filter=sortOrder gt ‘1’ will fail since it does not allow gt.

Scenario 6: Do not need any of the arithmetic operations in $filter

OData URL convention supports a lot of convenient arithmetic operations. However, it is possible your scenario don’t need to use any of those. Now you can turn that off by setting AllowedArithmeticOperators to None.

[EnableQuery(AllowedArithmeticOperators = AllowedArithmeticOperators.None)]

Now a request to https://localhost:44365/api/Bay/GetaAll/f20d7f05-8c93-42a7-b951-df8505b69de3?$filter=name eq ‘Bay 1’ will succeed, while a request to https://localhost:44365/api/Bay/GetaAll/f20d7f05-8c93-42a7-b951-df8505b69de3?$filter=1 mul 5 gt 9 will fail.

Conclusion:

That was it. Just try OData in your API method and experience its flexibility!

Thanks for reading!

Odata
C Sharp Programming
Webapi
Net Core

--

--

Avinash Karat

Written by Avinash Karat

112 Followers

Working professionally as a full stack .Net developer . Also have a keen interest in personal productivity, meditation&personal finance. Here to share things.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams