Execute and access code restricted internals as a partner or customer
It's possible to bypass the internal access modifier that is used to protected code in Dynamics 365 for Finance and Operations from being executed by partner or customer code.
This is possible since the standard models that is provided by MS in each release contain a Descriptor file that haven't been clean up and still contain a list of model names under InternalsVisisbleTo. All models that are listed under InternalsVisibleTo can reference/call code that has been marked as internal.
See for example:
K:\AosService\PackagesLocalDirectory\ApplicationSuite\Descriptor\Foundation.xml
Most of the models listed under the tag InternalsVisisbleTo are unit testing models that are not shipped with the release. This makes it possible for a partner or customer to create a model with the same reference name and that way gain access to executing any code that should only be accessible by your core MS models.
Since you have test models for most of your models this gives a partner or customer the ability to do this for most of the MS released models and gain access to it's internals.
Important, I've not tested if it's possible to deploy a model to a production environment that has the same name as the MS test models. I'd like to state that I've submitted this to MS and they have classified this as a bug so it will probably get fixed soon and the loop hole closed.
Comments
Post a Comment