Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why not reveal the type and identity of the source to the client?

Tags:

c#

security

linq

On page 220, the C# Language Specification Version 5.0 says:

It is important ... to ensure that the result of a query expression is never the source object itself, as that would reveal the type and identity of the source to the client of the query.

Why would it be problematic to reveal the type and identity of the source to the client of the query?

As an example, a query expression of the form from c in customers select c translates into customers.Select(c => c) instead of just customers.

In the above case, it seems to me that returning customers to the client would be just as good as returning the results of customers.Select(c => c). Why isn't it?

like image 630
Shaun Luttin Avatar asked Oct 20 '25 08:10

Shaun Luttin

1 Answers

Though Robert McKee's answer is plausible and raises an interesting point, it is not actually the primary issue that we had in mind when writing that section of the specification. The issue we actually had in mind was this:

class C 
{
  private List<int> myList = new List<int>();
  // Only the code in C can add items to the list.
  public IEnumerable<int> Items 
  {
    get
    {
      return from item in myList select item;
    }
  }
}

Suppose you have a C in hand. Should you be able to write this code?

((List<int>)c.Items).Add(123);

The existence of a query on a list should not grant code which obtains the query the ability to change the list! It should grant that code the right to execute the query and no more.

Now imagine that instead of a List<int>, the query is actually wrapping a database call. If the caller can obtain the underlying database from the query then perhaps they can make queries or edits to that database that the author of the query did not intend them to make.

Of course, LINQ is not designed to be a security system, and if it is your only line of defense against code that wants to attack your database, you're probably pretty vulnerable. But all security systems work better when their components use good "defense in depth". Not ever leaking the collection that a query is querying is part of a defensive strategy.

For more on this feature, see my article on the subject:

https://web.archive.org/web/20150905090133/http://blogs.msdn.com/b/ericlippert/archive/2008/05/12/trivial-projections-are-usually-optimized-away.aspx

like image 98
Eric Lippert Avatar answered Oct 23 '25 00:10

Eric Lippert
Sign in to Comment

Related questions

What happens if you start too many threads?
Sending email from SMTP server without the need to enter password
List<T> to IEnumerable<T> problem in interface
How do I create an SDK style project for a .net framework 4.7.2 project in using visual studio?
Which is best place to write common codes Static Helper class or Base Class?
Inject dependency dynamically based on call chain using simple injector
How to pre-populate a 'date' input field with Razor/C# values
Get reference to a class and execute static method from only a string value?
Send key "MediaPlayPause" to an application without setting focus to it
Good practice for "ref" arguments and nullable checking
How do you get IndexOf of a string with multiple possible chars?
SendGrid is not an attribute class
Is it OK to create 2 instances of C# MongoClient connecting to the same replica set?
Portable XAML Styles in a Class Library

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!