XrmToolBox

XrmToolBox copied to clipboard

What is being changed

Adding check to make sure loaded URLs from a plugins 'Project Url" are actual URLs when a user clicks on the loaded 'Project Url' within the Tool Library page. With this change, any user that clicks on a plugin 'Project Url' that fails the Uri check, the Process.Start() function will not be called.

Found the code from: https://stackoverflow.com/questions/7578857/how-to-check-whether-a-string-is-a-valid-http-url

This will just prevent any non-urls from being executed in the Process.Start() function - preventing any potential for command injection found in Issue #1331.

How command injection occurs

Fundamentally command injection can occur when the 'Project Url' for a plugin contains commands instead of a URL and the user clicks on the 'Project Url' for a plugin in the Tool Library page. As the current version of XrmToolBox does not sanitize or check the URL from plugins loaded from the XrmToolBox portal, there are a few ways a malicious actor could utilize this flaw to execute arbitrary commands on users machines:

1. A malicious plugin with commands stored in its 'Project Url' is successfully added to the XrmToolBox Portal and loaded into users Tool Library.

2. A man-in-the-middle attack occurs, intercepting the request to www.xrmtoolbox.com/_odata/plugins, and replacing specific or all mctools_projecturl data with arbitrary commands

What loaded commands will look like from a man-in-the-middle attack:

https://github.com/MscrmTools/XrmToolBox/assets/65303833/820703e1-d346-493a-a1c1-5b84348db52f

Thank you! I'm adding your change