How do I sanitize a workflow uploaded by a user? - xpath

I have a multi-tenant application that may run arbitrary workflows as needed.
I plan on using the workflow designer to create these workflows, but even if I limit the Activities in the Toolbox, that doesn't prevent a malicious user from editing his own XAML file, doing activities I'd rather them not (specifically calling out to the .NET framework)
For a given workflow, how do I verify that the only actions being used are those I approve of? Is an XPath query the only way, or is there a feature within WF that will validate this?
If you need a visual introduction to what I'm looking for here is a sample project and video referring to it.

I'd just load the workflows in a sandboxed AppDomain. You can Use the GetStandardSandbox static method of the SecurityManager to set this up relatively easily (and safely).
Of course, I haven't actually done this yet, but I'm definitely thinking about adding some of this to my current WF code (which does use AppDomains to isolate execution of workflows from my application).

All you can do is load the XAML as XML and check what is in there. And make sure to check any VB expression entered as users can put interesting things in there as well.

Related

How can I open slack modal during slack workflow execution step?

I am currently working on slack app with custom workflow step which is used to get some data from user during execution using modals,
I can do that using built-in forms from workflow builder like in the attached image.
Built in workflow form
However my form is more interactive and requires input fields to be changed based on user selection, to do that I am trying to consume https://slack.dev/java-slack-sdk/guides/modals API with custom workflow step.
My question is, do I have any chance to call open modal API, during custom workflow execution step: https://api.slack.com/events/workflow_step_execute ?
So far I failed to identify what can I use as triggerId during workflow step execution.
Thank you in advance and I do understand my question is complex, so will be happy to provide more information.
Unfortunately, it's not possible to trigger a modal from within a Workflow. Workflow Builder currently doesn't support conditional interactivity either. Sorry I don't have better news. On the plus side, Workflow Builder is going to see some significant upgrades this year!

How do I create a custom global element/app within CRM Dynamics such that it shows on all pages and can control user navigation?

I need to add a custom element/mini-app/extension to CRM Dynamics sales such that it shows globally on all pages that the user navigates to and also can navigate the users urls when certain events happen.
What options exactly do I have to satisfy the above criteria?
The screenshot below shows a sample area that I need to build the app within as an example.
Id imagine there are many use cases where customizing a global element is worthwhile, especially since custom applications may need to be built.
I understand I can use the Resources to create a SPA such as angular which is running so long as the URL stays at the SPA url. But for our use case, we are looking to allow end users to be able to navigate the CRM using the custom controls. but when something happens in a another subsystem, we need end users who are logged into the CRM to instantly view data that is important to them.
Is this technically possible?
Unfortunately this is not feasible. There are some concepts to show learning path like that. It won’t satisfy your need.
I understand what you need, like a news feed or ad rotator for rolling content but context specific flyout area which is always pinned. There is no OOB option or customization/configuration available for achieving this. You can initiate this concept in Dynamics Ideas.
Like you said there can be a HTML web resource developed & embedded in a dashboard, this is very limited for your requirement.
Edit:
I think you are looking for Channel Integration Framework which will help you to configure third party CTI apps.
In CRM V9, they have introduced a new API call for 'Panel'. This panel loads to the side of the screen, and can display content regardless of where the user moves throughout the entire application. I've played around with it a bit for my own person reasons at work, but it looks to be exactly what you're looking for.
The call is 'Xrm.Panel.loadPanel(URL/WebResource)'
https://learn.microsoft.com/en-us/dynamics365/customer-engagement/developer/clientapi/reference/xrm-panel
However, the feature is currently in development, and should only be used in production at your own risk.

how to pass through the captcha while testing an application on an automation tool like QTP

how to avoid(alternative) captcha while testing an application on any tool.
I am testing an application on QTP .It's having captcha on the login screen Since captcha is an image therefore the tool is unable to read it for repeated iterations. Is there any way to pass through the captcha.
The whole point of CAPTCHA1 is to make sure a real human is facing the computer so if QTP could solve a general CAPTCHA it would mean that the whole concept of CAPTCHAs is flawed.
On a case to case basis there may be a solution (perhaps involving Insight) but you would have to share more information to get a meaningful answer.
The best course of action would probably be to get R&D to provide a non-CAPTCHA protected way to enter the application during testing (and make sure this is not present in the production servers).
1 Completely Automated Public Turing test to tell Computers and Humans Apart
CAPTCHA objects are designed to prevent automation, by ensuring that a human is interacting with the application, not a computer. These controls are designed to prevent automation. With this in mind, QuickTest Professional (QTP) / Unified Functional Testing (UFT) does not have a method to capture the text from the object. You will most likely need to test that portion of the application manually. Here are a couple suggestions you can consider:
If possible, limit the CAPTCHA control (during the testing phase) to only a few words/letter combinations. Then use QTP/UFT to cycle through these defined words/combinations. Again, this limitation on the control would only need to be done in the testing phase.
If possible, ask your developers to add a method which will capture the characters used in the CAPTCHA control at runtime. Then, have QTP/UFT call that method, retrieve the text, and enter it into the field as needed. Once again, this method would only need to be in place while the testing the application.
If possible, ask your developers to add a flag that will allow you to bypass the control during the testing phase.
Depending on the settings used within the CAPTCHA control, you may be able to use another application (for example, OCR software) to read the text from the image and return that text to QTP/UFT. Once QTP/UFT has the text, it can be entered into the field.
if you are testing on an application for which you can also access the Database, you can take the generated CAPTCHA from the database and store it in a variable. Use the stored variable for printing CAPTCHA
There is a simpler way to to handle CAPTCHA on a webpage in QTP/UFT through "dynamic execution of data" used in the parametrization technique.

Is there a way to check if an action is used in ASP.NET MVC?

I'd like to know if there is a way to find defunct action methods on controllers. I have R# and ran analysis, but it didn't seem to check if the asp code called an action. Is there anything that does?
Implement a global action filter that records the action name in a persistent store somewhere. This way you can track which actions do get executed and figure out what's missing from possible actions. It's a bit tedious but may work for your purposes.
No, a tool what not know what actions are required, as they are invoked by the routing configuration. I suppose you could write a tool which could check which actions are accessible given the current routing configuration, but then it wouldn't be able to know if those methods wouldn't potentially be used by other code, as they are marked as public.

Workflow engines that integrate easily/work well with Spring Web?

I have a Spring MVC web application that I need to introduce workflow into and was wondering if anyone had recommendations on existing products that would integrate well/easily with Spring.
The steps (if that's the term) in any given workflow may or may not involve user interaction - so you could imagine kicking off something like a sign-in workflow that involves the following steps:
- user choosing a login name and password and submitting
- once submitted an email is generated with a confirmation URL
- on click of the confirmation URL the user is asked a few more questions and then the account is enabled
- if URL is not click on in three days a reminder is sent
- if URL is not clicked on after reminder is sent, account is deleted
Admittedly this is a workflow that could be solved without a workflow engine and I'm just using the example to illustrate that the steps involved in the workflows may or may not involve user interaction, have a time element and a concept of branching on certain event.
I had a look at Spring WebFlow and this seems more geared toward putting webpages together in a certain order to achieve a particular flow through the UI as opposed to specifying a persistent workflow.
I had a look at Spring Workflow Extensions but (a)the documentation seemed a bit thin on the ground and (b) its still in incubation state, both of which make me a bit nervous.
Any suggestions?
I've worked with and evaluated a few workflow engine solutions. In general, they end up being so complicated to setup, it ends up being easier to code your workflow by hand. There is one open source project called OS Workflow that looks like it takes this complexity into account, but I haven't had an opportunity to give it a closer look yet. Also it doesn't look like the product is under active development currently.
I've used jBPM on a project, but I found the product to be confusing and not well documented. We ended up only using a very small set of the functionality and we plan on eventually replacing the functionality we're using with something homegrown.
Both frameworks also have Spring support via the Spring Modules project (which also looks to no longer have any development activity).
A quick google search found me this article on popular Java workflow solutions, but I'm not familiar with most of these products.

Resources