Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
Anonymous
Not applicable

Validate URL Filter

‎05-16-2019 07:35 AM

I'm embedding reports using a URL filter to only show the data that the user is supposed to see. 

An iFrame with a url source is easy to manipulate and therefore a vulnerability so i've been testing different combinations of bad filters and querystrings.

I've found that if I pass a filter with a trailing whitespace character, or anything really that is not supposed to be in the filter, the filter is not applied and the report will show all the data.

Eg. http://localhost/Reports/powerbi/MyReport?filter=tableone/column in ('a', 'b', 'c') &rs:Embed=true

Is there any way of changing this behavior so that when a invalid filter is passed with the URL  no data will show in the report? 

 

At the moment the only solution I can think of is to test the filter with regex. And since I'm using custom security end up returning a 403 (I don't now how to return something else, like in this case a 400 Bad Request)

Labels:
Message 1 of 5
1,279 Views
0
4 REPLIES 4
d_gosbell
Super User
Super User

‎05-17-2019 03:06 AM

If you want to restrict what the user can see you should look at implementing Row Level Security so that the permissions are enforced at the model level.

 

Because couldn't the user just grab the start of the URL and open the report directly in the portal (eg.  http://localhost/Reports/powerbi/MyReport) in a new browser window bypassing any logic on your page?

Message 2 of 5
1,261 Views
0
Anonymous
Not applicable
In response to d_gosbell

‎05-19-2019 10:20 PM

Yes, I need to look at RLS.

 

No I parse the URL looking for specific IDs which I then authorize using my security extension. But of course that could've been a real security miss.

 

Thank you!

Message 3 of 5
1,227 Views
0
jess_v
Frequent Visitor
In response to Anonymous

‎02-26-2020 03:20 PM

@Anonymous   I've been tasked with parsing the Power BI URL and can't figure out how to do it.  Do you mind sharing how you achieved this?

 

(Essentially, there is a button in the Power BI report that links to additonal information, and I want to read the Power BI URL for a variable in there that will be used to create the dynamic link in the button).

 

Thanks! 

Message 4 of 5
1,035 Views
0
Anonymous
Not applicable
In response to jess_v

‎02-27-2020 12:32 AM

Not sure I understand what you mean but i simply just extract the URL from the IRSRequestContext and then do string validation on it using regex and other rules specificly for my purpose.

I do this in my implementation of IAuthenticationExtension2.GetUserInfo 

Message 5 of 5
1,009 Views
0

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All