0

I am working on a Azure Blob Storage which has some image files. I want to use the image in my website, but want to pull the images securely. The code I wrote is using a SAS token generated on the container. However to retrieve the image, the URL to the image file is used with the SAS token passed as a URL parameter. Isn't that insecure in the sense that anyone who gets the SAS token for the time it is valid, can also download the image? Is there some way to post the SAS token back within the Request header so that its protected? How would I achieve this?

So at the moment I can generate a SAS programmatically. But when using it to retrieve the blob I dont want to use the format of https://myblobstore.blob.core.windows.net/test/image-0_8.jpg?skoid=<>&sktid=<>&skt=<>&ske=<>&sks=b&skv=<>&st=<>&se=<>&sr=b&sp=r&sig=<>, since the signature is readable to anyone. Is there another way?

Thanks in advance, Jake.

JakeUT
  • 359
  • 1
  • 4
  • 16

2 Answers2

1

What you might be missing (and what I managed to completely forget for a moment, hence doing the research and finding your question) is that for HTTPS query string is encrypted, just like other parts of the request - hence this isn't more or less safe than passing the SAS token in, e.g., a header or request body.

decPL
  • 5,384
  • 1
  • 26
  • 36
  • 1
    Thanks for the response. You appear to be correct on the query string being encrypted. I didnt realize this was the case....very interesting to learn this. Thanks again! – JakeUT Oct 21 '22 at 20:39
0

I am not sure how the web application was configured. But you can use the below concept of code that might be help you to access the blob files or images over website without displaying the SAS URL in your request Header.

Reference piece of code:- Download and display a private Azure Blob using ASP MVC

Additional References:

Couple of points to note: 1) Make sure to set the correct content type (Or Mime Type) 2) Don't use any streaming APIs (i.e. file stream) - those will by default download the files 3) If possible try to add the right header (if needed)

Below is the whole source code (it's the controller part )
//ViewModel  
public class ViewModel  
{  
public string FileUrl { get; set; }  
}
{
var readPolicy = new SharedAccessBlobPolicy()
{
Permissions = SharedAccessBlobPermissions.Read,
SharedAccessExpiryTime = DateTime.UtcNow + TimeSpan.FromMinutes(5)
};

// Retrieve storage account from connection string.
string conn = "DefaultEndpointsProtocol=https;AccountName=straccountname;AccountKey=key==;EndpointSuffix=core.windows.net";
Microsoft.WindowsAzure.Storage.CloudStorageAccount storageAccount = CloudStorageAccount.Parse(conn);

// Create the blob client.
CloudBlobClient blobClient = storageAccount.CreateCloudBlobClient();

// Retrieve reference to a previously created container.
CloudBlobContainer container = blobClient.GetContainerReference("test");

// Retrieve reference to a blob ie "20200809_125724.jpg".
CloudBlockBlob blockBlob = container.GetBlockBlobReference("20200809_125724.jpg");

//------
var newUri = new Uri(blockBlob.Uri.AbsoluteUri + blockBlob.GetSharedAccessSignature(readPolicy));
var viewModel = new ViewModel()
{
FileUrl = newUri.ToString()
};
return View("Index", viewModel);
// return View();
}

Reference: https://learn.microsoft.com/en-us/answers/questions/252303/sas-url-to-display-in-browser-rather-than-download.html

Madhuraj Vadde
  • 1,099
  • 1
  • 5
  • 13
  • But isnt this line concatenating the Shared Access Signature directly to the URI? var newUri = new Uri(blockBlob.Uri.AbsoluteUri + blockBlob.GetSharedAccessSignature(readPolicy)); When that request goes out, wont it get sent out with the SAS string on the URL request directly? That was my point that its not part of the post or header. Correct me if I am wrong. – JakeUT Mar 27 '22 at 03:13