0

I am working on a Azure Blob Storage which has some image files. I want to use the image in my website, but want to pull the images securely. The code I wrote is using a SAS token generated on the container. However to retrieve the image, the URL to the image file is used with the SAS token passed as a URL parameter. Isn't that insecure in the sense that anyone who gets the SAS token for the time it is valid, can also download the image? Is there some way to post the SAS token back within the Request header so that its protected? How would I achieve this?

So at the moment I can generate a SAS programmatically. But when using it to retrieve the blob I dont want to use the format of https://myblobstore.blob.core.windows.net/test/image-0_8.jpg?skoid=<>&sktid=<>&skt=<>&ske=<>&sks=b&skv=<>&st=<>&se=<>&sr=b&sp=r&sig=<>, since the signature is readable to anyone. Is there another way?

Thanks in advance, Jake.

JakeUT
  • 167
  • 1
  • 11

1 Answers1

0

I am not sure how the web application was configured. But you can use the below concept of code that might be help you to access the blob files or images over website without displaying the SAS URL in your request Header.

Reference piece of code:- Download and display a private Azure Blob using ASP MVC

Additional References:

Couple of points to note: 1) Make sure to set the correct content type (Or Mime Type) 2) Don't use any streaming APIs (i.e. file stream) - those will by default download the files 3) If possible try to add the right header (if needed)

Below is the whole source code (it's the controller part )
//ViewModel  
public class ViewModel  
{  
public string FileUrl { get; set; }  
}
{
var readPolicy = new SharedAccessBlobPolicy()
{
Permissions = SharedAccessBlobPermissions.Read,
SharedAccessExpiryTime = DateTime.UtcNow + TimeSpan.FromMinutes(5)
};

// Retrieve storage account from connection string.
string conn = "DefaultEndpointsProtocol=https;AccountName=straccountname;AccountKey=key==;EndpointSuffix=core.windows.net";
Microsoft.WindowsAzure.Storage.CloudStorageAccount storageAccount = CloudStorageAccount.Parse(conn);

// Create the blob client.
CloudBlobClient blobClient = storageAccount.CreateCloudBlobClient();

// Retrieve reference to a previously created container.
CloudBlobContainer container = blobClient.GetContainerReference("test");

// Retrieve reference to a blob ie "20200809_125724.jpg".
CloudBlockBlob blockBlob = container.GetBlockBlobReference("20200809_125724.jpg");

//------
var newUri = new Uri(blockBlob.Uri.AbsoluteUri + blockBlob.GetSharedAccessSignature(readPolicy));
var viewModel = new ViewModel()
{
FileUrl = newUri.ToString()
};
return View("Index", viewModel);
// return View();
}

Reference: https://docs.microsoft.com/en-us/answers/questions/252303/sas-url-to-display-in-browser-rather-than-download.html

MadhurajVadde-MT
  • 889
  • 1
  • 2
  • 10
  • But isnt this line concatenating the Shared Access Signature directly to the URI? var newUri = new Uri(blockBlob.Uri.AbsoluteUri + blockBlob.GetSharedAccessSignature(readPolicy)); When that request goes out, wont it get sent out with the SAS string on the URL request directly? That was my point that its not part of the post or header. Correct me if I am wrong. – JakeUT Mar 27 '22 at 03:13