Update StoreFormFromPortal.cs - Issue #1331 Fix #1332
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
adding check to make sure the loaded URL from plugins are actual URLs
XrmToolBox-CommandInjectionDemo.mp4 |
|
Thank you! I'm adding your change |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What is being changed
Adding check to make sure loaded URLs from a plugins 'Project Url" are actual URLs when a user clicks on the loaded 'Project Url' within the Tool Library page. With this change, any user that clicks on a plugin 'Project Url' that fails the Uri check, the Process.Start() function will not be called.
Found the code from: https://stackoverflow.com/questions/7578857/how-to-check-whether-a-string-is-a-valid-http-url
This will just prevent any non-urls from being executed in the Process.Start() function - preventing any potential for command injection found in Issue #1331.
How command injection occurs
Fundamentally command injection can occur when the 'Project Url' for a plugin contains commands instead of a URL and the user clicks on the 'Project Url' for a plugin in the Tool Library page. As the current version of XrmToolBox does not sanitize or check the URL from plugins loaded from the XrmToolBox portal, there are a few ways a malicious actor could utilize this flaw to execute arbitrary commands on users machines:
A malicious plugin with commands stored in its 'Project Url' is successfully added to the XrmToolBox Portal and loaded into users Tool Library.
A man-in-the-middle attack occurs, intercepting the request to www.xrmtoolbox.com/_odata/plugins, and replacing specific or all mctools_projecturl data with arbitrary commands
What loaded commands will look like from a man-in-the-middle attack:
