Request to '/api/reports/.../{documentId}' Is Not Authorized
Environment
Product | Progress® Telerik® Reporting |
Description
When performing security tests with automated tools, there may be indications of vulnerability. For example, if an authorized user discloses the link of reporting API to an unauthorized user, e.g /api/reports/clients/031206-6569/instances/031209-532c/documents/031210-54b5031210-5509/
, the unauthorized user will be able to view the report.
Reasoning
The Get Document request, for example /api/reports/clients/031206-6569/instances/031209-532c/documents/031210-54b5031210-5509
is performed to download the generated report document as an attachment, for example, PDF file. Importantly, the JavaScript doesn't have access to the client machine file system, so it is necessary to rely on the browser to actually download the file, e.g. to open the File Save dialog. Therefore, the Html5 Report Viewer downloads the rendered reports through the window.open() method. However, there are no options to add headers as this is not an AJAX request, hence if the endpoint was secured, it was not going to be possible to open/download the generated report through the viewer.
Approaches
- You may authorize the corresponding method in our API,
GetDocument
virtual method by overriding it. In this case, you will need to take care of the authorization headers that should be passed from the client when requesting the prepared document. This will also disable the export usage for all report viewer controls that rely on the Telerik Reporting REST Service. - A workaround may be found in the How to download a file from an authenticated Web API endpoint post. Note that this (and probably any other solution with the current technologies) will deteriorate the user experience, and therefore, we have not adopted it.
- Instead of using the above approaches, we have decided to leave the request unauthorized and to rely on the fact that the URL for the request has three random auto-generated GUIDs that are practically impossible to guess. The person that is authorized to open reports should be responsible for not sharing the links to sensitive documents with unauthorized users. Note that even if the
Get Document
request was secured, once the document was downloaded it could be distributed by the one who downloaded it, hence it is all in the hands of the authorized user.