Execute and access code restricted internals as a partner or customer

-
It's possible to bypass the internal access modifier that is used to protected code in Dynamics 365 for Finance and Operations from being executed by partner or customer code.

This is possible since the standard models that is provided by MS in each release contain a Descriptor file that haven't been clean up and still contain a list of model names under InternalsVisisbleTo. All models that are listed under InternalsVisibleTo can reference/call code that has been marked as internal.

See for example: K:\AosService\PackagesLocalDirectory\ApplicationSuite\Descriptor\Foundation.xml


Most of the models listed under the tag InternalsVisisbleTo are unit testing models that are not shipped with the release. This makes it possible for a partner or customer to create a model with the same reference name and that way gain access to executing any code that should only be accessible by your core MS models.

Since you have test models for most of your models this gives a partner or customer the ability to do this for most of the MS released models and gain access to it's internals.

Important, I've not tested if it's possible to deploy a model to a production environment that has the same name as the MS test models. I'd like to state that I've submitted this to MS and they have classified this as a bug so it will probably get fixed soon and the loop hole closed.

Comments

Post a Comment

Popular posts from this blog

How to disable auto enabled flight key using KillSwitch

-
Image
Microsoft is introducing new functionality into Dynamics 365 for Finance and Operations with flight keys in every other new release. For this they use  Flight  classes so that the changes are automatically applied and can be reversed.  Example of a flight class that control the functionality of a new set of functionality.  When a flight key that enable functionality can be found in the flight key table  SysFlighting To disable the functionality don't delete or change the enabled flag on the flight record, instead insert a KillSwitch  record. The KillSwitch record will ensure that the flighed functionality will stay disabled as long as it exist in the flight table.  In an environment that Microsoft maintain can raise a support ticket in LCS to disable specific flight keys.  SQL statement for insert the KillSwitch record.  DECLARE @flightName NVARCHAR(100) = 'WHSWorkCancelForcedFlight_KillSwitch' IF NOT EXISTS (SELECT TOP 1 1 FROM SysFlighting WHERE flightName = @flightName
Read more

Technical intro to Feature management in D365FO

-
Image
Feature management is an alternative to configuration keys for releasing and introduce a new features into D365FO.  MS is still releasing updates around the framework but the existing state as per 10.0.9 provide all we need to get started with releasing functionality that is controlled by the feature management framework.  The key to the feature framework is the feature class, in my example below see the class  pekTestingFeature. It is used as a descriptor for the feature and the flag to indicate if the feature is enabled or not. Once the class is created and compiled, users can navigate to Feature management  under System administration  and enabled/disable the feature. It is possible to make a feature enabled by default or disable the possibility to disable the feature. If the feature doesn't automatically appear, run the Check for updates button.   The feature class can be applied to menu items and menus. If enabled the menu item or menu will be visible to the
Read more

Continuous integration and deployment Power platform FinOps tweaking

-
Image
If you are working with the new unified development environments and CICD pipelines described here .  You might find the fact that we have to update the pipeline with the platform and application version annoying.  A quick way to get around this if you are using azure hosted agent pipeline as per this repo is to pull the number from the package.config and using it in the create deployable package task as per the two example tasks below.  The first powershell task will pull the version from the nuget files and save it to variable that can be reused in later tasks within the job. 
Read more