Category Archives: Security

Security related posts.

Explicit error handling when working with XMLPort

During my development of Dynamics NAV Web Services for client’s integration with with their web shop I have had unforseen behaviour of XMLPorts.

When you use SETTABLEVIEW function of XMLPort to narrow data to export you use some kind of input parameter (or parameters) you can do something like this:

GetShipToAddress(CustID : Code[20];VAR XMLShipToAddress : XMLport "Ship To Address")
IF CustID <> '' THEN BEGIN
 ShipToAddressLoc.RESET;
 ShipToAddressLoc.SETRANGE("Customer No.",CustID);
 XMLShipToAddress.SETTABLEVIEW(ShipToAddressLoc);
END;

But with this approach you risk the unintentional exposure of all data. Because of using XMLPort as VAR there is no filter in XMLPort – unless defined otherwise on Node element in XMLPort used.

When XMLPort is used in function exposed as web service of codeunit it is “automagically” populated with data AFTER the function has finished. Therefore, if no filter is set on XMLPort it is populated with ALL data from that/those tables used in it.

The secure way of doing this is with proper error handling. Something like this:

GetShipToAddress(CustID : Code[20];VAR XMLShipToAddress : XMLport "Ship To Address")
IF CustID <> '' THEN BEGIN
 ShipToAddressLoc.RESET;
 ShipToAddressLoc.SETRANGE("Customer No.",CustID);
 XMLShipToAddress.SETTABLEVIEW(ShipToAddressLoc);
END ELSE BEGIN
 ERROR(Text001);
END;

When inserting data though web services using XMLPort you should just use XMLPort.IMPORT function in you exposed web service function. All other required data checking should be done in OnBeforeInsertRecord trigger of Table element in XMLPort.

ShipToAddressTable - Import::OnBeforeInsertRecord()
IF ("Ship-to Address"."Customer No." = '') THEN
 ERROR(Text001);
IF ("Ship-to Address".Code = '') THEN
 ERROR(Text002);

When calling web service functions from client side, you should be writing your calls within try/catch block of code so you get proper exception/error code.

These are some thing you should have in mind when using XMLPorts in exposed web services to get enhanced security of data.