Post

Avoid Exposing Status Uri From Durable Functions Extension For Azure Functions To Untrusted Parties (It Contains A Secret Key!)

Avoid Exposing Status Uri From Durable Functions Extension For Azure Functions To Untrusted Parties (It Contains A Secret Key!)

Durable Functions is an extension for Azure Functions to help write stateful services in a stateless environment. It can return helpful information, including a status uri, but this contains a secret key by default! Be careful not to expose this to untrusted parties.

/runtime/webhooks/durabletask/instances/abc123abc123abc123abc123abc123ab?taskHub=mytaskhub&connection=Storage&code=code-here ends with a code query string paramater containing the secret key.

Consider building a custom status endpoint, securing it as needed.

If Deployed, Rotate The Key(s)!

The code appended to the url as a query string parameter is a system key that enables access to Durable Functions at an administrative level for the Azure Functions instance. You’ll want to rotate the impacted any durabletask_extension system keys in your Azure Functions applications.

More Info

This post is licensed under CC BY 4.0 by the author.