web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Apps / webAPI retrieveMultipl...
Power Apps
Unanswered

webAPI retrieveMultipleRecords Query Security

(0) ShareShare
ReportReport
Posted on by jham99 8

Hello,

 

In my PCF component code, I use retrieveMultipleRecords and provide it with the optional query string.

 

Should I be concerned about the security of using a query string? In other words, does the back end that handles this query provide any protections against users running code snippets with malicious queries?

 

Thanks in advance

Categories:
Power Apps Pro Dev & ISV
I have the same question (0)
  • skoofy5 Profile Picture
    skoofy5 482 on at

    If your app has no security and it's only by obscurity then no, there's nothing to stop them from running 'malicious' queries to retrieve more records. Though how malicious it is to retrieve more records if you don't apply security roles I'm not sure.

     

    Realistically, your app should be setup with security roles that ensure users access only the appropriate records with the correct privileges (i.e. read/edit/delete/share access). This would prevent users from being able to retrieve records outside of their identified scope.

     

    Additional data protection can be enforced in the form of auditing, capturing potential malicious changes by users. Again, this would need to be configured for your app.

  • Guido Preite Profile Picture
    Guido Preite 1,488 Super User 2024 Season 1 on at

    users can access only records they have the permissions to see by security roles, nothing stops them to open the browser console and execute a retrieveMultipleRecords by themselves bypassing your PCF control completely. your PCF control runs inside the client-side context, not in a server-side context.

  • jham99 Profile Picture
    jham99 8 on at

    Thanks for the responses,

     

    So security roles are the best for protecting records, but if a user can execute retrieveMultipleRecords with arbitrary query strings, then is there any protection against them injecting scripts into these queries? 

  • Guido Preite Profile Picture
    Guido Preite 1,488 Super User 2024 Season 1 on at

    I don't know which protection you are expecting to have. with the security roles you can decide the permissions.

    for example if a user can read only its own accounts and can't edit them, if they write a query (or inject your code) they still can't edit the records, client-side or server-side

  • jham99 Profile Picture
    jham99 8 on at

    Alright I see, 

    Since the every user environment is isolated from other environments, the only harm that a user could do is to themselves/their own environment? 

  • Guido Preite Profile Picture
    Guido Preite 1,488 Super User 2024 Season 1 on at

    the same user can have access to multiple environments, but under each environment it can have different security roles (for example inside instance A he can create accounts, inside instance B he can only read accounts).

  • jham99 Profile Picture
    jham99 8 on at

    One more question, is there any protection against Denial of Service attacks? A user could only harm their own environments if they did such an attack?

  • Guido Preite Profile Picture
    Guido Preite 1,488 Super User 2024 Season 1 on at

    which exact kind of Denial of Service attacks you are referring to?

  • Community Power Platform Member Profile Picture
    Community Power Pla... on at

    I think what jham99 is asking about is an arbitrary complex query that could cause lots of resources to be consumed on the server, which may impact billing and or other customers' experiences.

     

    You could think of a regular expression denial of service attack as described https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

    graphQL provides some tools to restrict query complexity as described: https://typegraphql.com/docs/complexity.html

     

    Are there any such mitigations applicable here for untrusted user input being processed by the server?

  • Guido Preite Profile Picture
    Guido Preite 1,488 Super User 2024 Season 1 on at

    as I wrote before, nobody is stopping the user to open the browser console and run 1000000 queries to fetch the accounts

    Can this be considered a DDOS? probably not.

    Can this impact billing? of course because you are doing a web api call (and authenticated I may add)

    Is this connected to the PCF control and the usage of retrieveMultipleRecords and the exploit of this PCF control? absolutely not as the same operation can be done inside the browser console.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!

Quick Links

Forum hierarchy changes are complete!

In our never-ending quest to improve we are simplifying the forum hierarchy…

Ajay Kumar Gannamaneni – Community Spotlight

We are honored to recognize Ajay Kumar Gannamaneni as our Community Spotlight for December…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Apps

#1
WarrenBelz Profile Picture

WarrenBelz 386 Most Valuable Professional

#2
Kalathiya Profile Picture

Kalathiya 321

#3
MS.Ragavendar Profile Picture

MS.Ragavendar 311 Super User 2025 Season 2

Last 30 days Overall leaderboard

Featured topics

Auto-Populate field Power Pages
Gallery Tabs - Show or Hide Tabs based on Field Value
How to patch multiple records at once
Enable Copilot for end users in model-driven apps
Question for everyone : How are you using Create Text GPT in AI Builder?
Community content - sample components, blogs etc. - Link to this page (http://aka.ms/PCFdemos)
Welcome to the Power Apps forum!

Product updates

Microsoft Power Platform Community release plans