Delete blob content without 'Delete' permissions using shared access signature

1
votes

i'm using Azure blob storage for storing data from clients.

Clients are given with shared access signature with NO 'Delete' permission.

Nevertheless, i can delete a blob content without 'Delete' permission with the following code:

// sharedKey doesn't contain 'Delete' permission
var credentials = new StorageCredentials(sharedKey);
var blob = new CloudBlockBlob(blobPath, credentials);
var blockIds = new List<string>();

// If not getting all current blocks ids, all current data will be lost.
// if (blob.Exists())
// {
//  blockIds.AddRange(blob.DownloadBlockList().Select(b => b.Name));
// }

var blockId =
Convert.ToBase64String(
    Encoding.Default.GetBytes(blockIds.Count.ToString("d6",    CultureInfo.InvariantCulture)));
 blockIds.Add(blockId);

byte[] eventInBytes = Encoding.Default.GetBytes(string.Format(CultureInfo.InvariantCulture, "{0}\n",   formattedEvent));

using (var eventStream = new MemoryStream(eventInBytes))
{
    blob.PutBlock(blockId, eventStream, null);
}

blob.PutBlockList(blockIds);

Is this an Azure defect (or i am missing the concept of the shared access signature?. any way to overcome this issue ?

thanks!

1
azureazure-blob-storage
If I'm not mistaken, you're not really deleting the blob. You're simply overwriting the blob which you could do if you have included write permission in your shared access signature.Gaurav Mantri
true, but you must agree that overwriting the blob with by uploading an empty string is the same as deleting the blob (i mean, you do not delete the file itself but on the other hand an empty blob equals to no blob file at all)yonisha
I don't think so. While I agree that your blob is of no use to you but I wouldn't qualify as deleted. What if instead of an empty string, user uploads some garbage data? Would you still consider the blob to be deleted?Gaurav Mantri
It depends whether the old data has been removed or not. The user can upload whatever data he wants, as long as the existing data remains.yonisha
Is your client given just the SAS and they write the code (like above) or is this code you wrote? If it's latter, you could take a snapshot of the blob before upload so that you have last working copy of the blob.Gaurav Mantri

1 Answers

2
votes

The way Share Access Permissions are implemented a user can be granted these access rights: Delete, List, None, Read, Write (See this article). With this level of granularity if you want your user to be able to create a blob, then they will also be able to update a blob. Although you can prevent users from deleting blobs, by issuing a SAS without the delete permission, you cannot prevent users from modifying blobs unless you also deny them the ability to create, both of which are controlled by the "Write" permission.