יום רביעי 14 מרץ 2012 13:30
Can deploying a new plug-in to a CRM project results in a new vulnerability?
יום רביעי 14 מרץ 2012 13:40
That depends entirely on what kind of plugin you are deploying. As a general rule plugins registered in the sandbox have less potential for damage because the only have limited access to resources (e.g. you cannot access the database).
If you for example create a plugin which performs some actions on the database based on fields in an entity there is the posibility for an SQL injection. Changes for a vulnerability are a lot less if you have a plugin which only sets a default value on a field.
יום חמישי 15 מרץ 2012 11:33
Many thanks Patrick four you appreciated help.
Well, what about the possibility of XSS attacks based on the inputs? is it possible, or all inputs to the system and outputs are sanitized by default? also is there another scenarios like the SQLi one?
Thank you again,
יום חמישי 15 מרץ 2012 11:43
XXS does not really apply to plugins as these execute C# and you would have to explicity create the plugin to execute CRM data as code. Running in the CRM sandbox makes this completely impossible as this does not allow any refelection or dynamic code.
SQL injection is only a problem if you connect to the database your self. If you perform all operations using IOrganizationService SQL Injection is impossible, assuming there are no vulnerabilities in CRM itself.
- סומן כתשובה על-ידי DavidJennawayMVP, Moderator יום שני 16 אפריל 2012 18:40
יום חמישי 15 מרץ 2012 15:55
Thank you Patrick,but I have one more question:)
What about running on premise, Is it allow refelection or dynamic code? Is it really worth to use sandbox features instead of premise?
יום חמישי 15 מרץ 2012 17:16מנחה דיון
The sandbox should work the same for CRM On-Premise as Online - i.e. if you deploy the plugin in the sandbox On-Premise, it will not be able to use reflection, dynamic code, direct SQL access etc. The only significant difference is that you can choose whether to deploy a plugin in the sandbox or not with On-Premise, whereas with Online you can only deploy a plugin in the sandbox.
If code security is a significant concern, then I'd suggest you specify that all plugins should be registered in the sandbox
יום ראשון 18 מרץ 2012 12:08
Your addition was really valuable, Thank you.
Is there any limitation prevents me from deploy a plugin in the sandbox, for sure except if i willn't be able to use reflection, dynamic code, direct SQL access etc.
Also, Is there any work arround to make sandbox to support the workflow activity executions.
Thank you again!
יום ראשון 18 מרץ 2012 12:45
At the moment workflow activities cannot be registered in the Sandbox, so no.
But with the CRM Q2 2012 service update the ability to add custom activities to CRM online will be added. I have not found confirmation of how this will work but I would expect they will only run in the Sandbox, which would mean that you should also have this ability offline.
It is very hard to get details out on this but this is the official release guide http://crmpublish.blob.core.windows.net/docs/ReleasePreviewGuide.pdf