Able to generate SAS token for a container with empty name

[srinidhikarthikbs]

Which service(blob, file, queue, table) does this issue concern?

blob

Which version of the SDK was used?

Please note that if your issue is with v11, we are recommending customers either move back to v11 or move to v12 (currently in preview) if at all possible. Hopefully this resolves your issue, but if there is some reason why moving away from v11 is not possible at this time, please do continue to ask your question and we will do our best to support you. The README for this SDK has been updated to point to more information on why we have made this decision. V8

What problem was encountered?

Not only can I get a reference to an empty("") container name from my storage account, it appears I can also generate a sas token for it. But the sas token appears to have no permissions on anything. The javadoc clearly says the "Container names must be lowercase, between 3-63 characters long and must start with a letter or number.".

Have you found a mitigation/solution?

Nope.

[jaschrep-msft]

Hi @srinidhikarthikbs. Thank you for bringing this to our attention.

Storage has a concept of the root container, with the name $root. It is one of the few special case containers that can break that naming convention. Blobs within the root container can be accessed without putting the container name in the URL: https://myaccount.blob.core.windows.net/myblobname.

Are you encountering an issue in the SDK where we are not handling access to the root container correctly?

[srinidhikarthikbs]

@jaschrep-msft, I'm referring to a container with the name "" (empty string in java) basically. I do not have such a container in my storage account (neither could I).

My issue is, I am able to execute these two statements: CloudBlobContainer container = csa.createCloudBlobClient().getContainerReference(""); container.generateSharedAccessSignature(policy, null, null, SharedAccessProtocols.HTTPS_ONLY);

The question is,

1. why does the first method accept a name that is not valid? (I'm referring to the description in javadoc for this method)
2. why does the second method return me a valid sas token when clearly the container does not exist in real? What is the meaning of this sas token and what permissions does it have on my storage account?

You can repro using this template: https://repl.it/@srinidhikarthik/Azure-empty-container-name-sas-token

[jaschrep-msft]

While you could not have a container with the name of empty string, you could have a container with the name $root, and that could be accessed by not supplying any container name.

Regarding the two lines of code you supplied, none of those make service calls as far as I'm aware, and business logic of the service is generally left to the service to validate. You could create a CloudBlobContainerClient that points to nonexistent containers, or containers with impossible names, and they will fail when they make requests to the service.

csa.createCloudBlobClient().getContainerReference("") will create an object setup to work with a container you identified as the empty string. Any subsequent network calls made with this object should be interpreted by the service as trying to access $root.

container.generateSharedAccessSignature(policy, null, null, SharedAccessProtocols.HTTPS_ONLY); is meant to create a shared access signature that can access that root container, with the permissions you supply in the arguments.

Does this answer your question?

[srinidhikarthikbs]

Yeah sure, I missing the link between root container and empty container name. Would be great to have a mention of this explicitly somewhere. Thanks.