locked
Upload OneDrive file to webserver - is this a security risk? RRS feed

  • Question

  • Hi,

    I'm using the OneDrive web API to allow a user to select a file from their account (using WL.fileDialog method).  Once they've made the selection, we need to take a copy of the document and upload to our webserver.

    It seems to me that the best approach for this is to use

    WL.api({
      path: file.id + "/content?suppress-redirects=true",
      method:"GET"
    }).then(function(response)){
      var url = response.location;
      //Send the URL to the server for processing
    });

    However, doesn't the fact that this URL now requires no authentication mean that the document can be retrieved by anyone that sniffs the URL?  The URL will be POSTED to our server over SSL so that's secure but when the server requests the file via the url any MITM can see the url and grab the file?

    The URL's do seem to stop working after a while (maybe an hour or so?), but I can't find any documentation on this.  Can anyone shed some light on this?  Is this the correct approach?

    (Note that all the files are shared as "only me" on the OneDrive webpage throughout the process)

    Thanks in advance,
    Simon.

    Wednesday, April 16, 2014 1:15 PM

All replies

  • We mention pre-auth urls here:

    http://msdn.microsoft.com/en-us/library/live/hh826531.aspx#file_links

    They do expire. 

    If you're concerned about security it should be possible to make a request for the pre-auth url using HTTPS. 


    Carl Hirschman

    Wednesday, April 16, 2014 7:54 PM
    Moderator
  • Hi Carl,

    Thanks for the reply.  Appreciate the link to the docs too.  It is indeed possible to request the pre-auth url using HTTPS - but that doesn't really help.  HTTPS doesn't protect the url so the documents would still be available to anyone.

    I feel like I must be missing something as much smarter people than me have looked at this, but this does seem quite a big security hole if documents are of a sensitive nature.  As a user, there's no indication that the app could create public URL's for my OneDrive files.

    If this is the wrong solution for sensitive documents, what would the correct solution be?  And, as a user, how would I know that the app was doing the right thing?

    Regards,
    Simon.

    Thursday, April 17, 2014 8:00 AM