cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Highlighted
chris-h Regular Visitor
Regular Visitor

Validate URL Filter

I'm embedding reports using a URL filter to only show the data that the user is supposed to see. 

An iFrame with a url source is easy to manipulate and therefore a vulnerability so i've been testing different combinations of bad filters and querystrings.

I've found that if I pass a filter with a trailing whitespace character, or anything really that is not supposed to be in the filter, the filter is not applied and the report will show all the data.

Eg. http://localhost/Reports/powerbi/MyReport?filter=tableone/column in ('a', 'b', 'c') &rs:Embed=true

Is there any way of changing this behavior so that when a invalid filter is passed with the URL  no data will show in the report? 

 

At the moment the only solution I can think of is to test the filter with regex. And since I'm using custom security end up returning a 403 (I don't now how to return something else, like in this case a 400 Bad Request)

2 REPLIES 2
Super User
Super User

Re: Validate URL Filter

If you want to restrict what the user can see you should look at implementing Row Level Security so that the permissions are enforced at the model level.

 

Because couldn't the user just grab the start of the URL and open the report directly in the portal (eg.  http://localhost/Reports/powerbi/MyReport) in a new browser window bypassing any logic on your page?

chris-h Regular Visitor
Regular Visitor

Re: Validate URL Filter

Yes, I need to look at RLS.

 

No I parse the URL looking for specific IDs which I then authorize using my security extension. But of course that could've been a real security miss.

 

Thank you!

Helpful resources

Announcements
Can You Solve These Challenge

Challenge: Can You Solve These?

Find out how to participate in the first Power BI 'Can You Solve These?' challenge.

New Badges

Incoming: New and Improved Badges

Exciting news: We've given our badges an overhaul and added brand news ones.

Ask Amir Anything

Exclusive LIVE Community Event No. 2 – Ask Amir Anything

Next in our Triple A series: Ask Amir Netz questions about the latest updates, features and future.

Analytics in Azure virtual event

Analytics in Azure virtual event

Experience a limitless analytics service built to ingest, prep, manage, and serve data for immediate use in Power BI.

Users Online
Currently online: 137 members 1,435 guests
Please welcome our newest community members: