BlogFileMaker

Preventing Unwanted Plugin Calls in FileMaker

By March 23, 2021 One Comment

The fmplugin Extended Privilege Setting

In December 2020, FileMaker Pro 19.1.2 introduced a new feature that has not seen a lot of attention, judging by the lack of conversation and content. And it is an important security feature, so we wanted to make it gets a bit more coverage.

The fmplugin feature helps protect your solutions from exposure to plugins making unwanted calls to your files.

This change in behavior introduced with this feature fits with the overall security approach of disallowing actions until you explicitly allow them.

What Kind of Calls Are We Talking About Here?

Plugins can trigger scripts and use SQL queries to retrieve, add, and modify data. Some popular plugins with this capability are the free BaseElements plugin and the commercial MBS plugin, but there are many others. We will use these two in our examples below.

This is a risk to your solution, considering these plugins can do that from one file and target another file. They can do that without requiring a file reference from the source file to the target file. It works without requiring prior authorization between the two files.

How It Was Before

Here is the scenario: you have two files that unrelated in any way. There is no file reference between them and no prior authorization granted in the target file’s File Access section. And the target file requires a Full Access privilege to use references to it, as you will see in the screenshot below.

Screenshot of the Advanced Security Settings for "plugin_target"

That setting named Require Full Access privileges to use references to this file will stop anyone trying to use this file from another file through normal FileMaker methods such as adding a Table Occurrence or calling a script with the normal Perform Script script step. But it does not stop plugins from making calls.

In the file that the plugin will target, the user’s extended privileges are just the standard ones; no custom extended privileges were added:

Screenshot of the 'Extended Privilege' tab in the Advaned Security Settings for "plugin_target" window

You have another file with the script shown below, and the script uses plugins to call a script in the target file. Line 7 uses the BaseElements plugin and line 10, the MBS plugin, to run a script named target_script in the plugin_target file.

Screenshot of the "plugin_run_script_in_other_file" script

When you are logged into the plugin_target file with privileges that allow you to run scripts, the script that runs from the source file will successfully execute the target_script in the target file. This works despite not having any pre-existing connection between the two files. It does not trigger the normal File Access protection mechanism.

SQL Queries

The same applies to SQL queries executed from plugins in the same fashion.
There are often good business reasons for such a construct whereby two files can exchange data and execute each other’s scripts without any type of connection. (We tend to prefer using the available FileMaker Server APIs for this).

You risk an attacker guessing your script names (and open your file with sufficient privileges to run scripts if you use auto-login or ersatz security mechanism) and then run those scripts from any other file through the use of plugins.

Better Protection: the New fmplugin Extended Privilege

FileMaker 19.2.1 aims at helping developers defend against this by blocking this type of access by default and allowing developers to make choices about which plugins they want to allow access to their solution from the outside.

All files created with 19.2.1 or newer contain a new fmplugin extended privilege:

Screenshot of the Advanced Security Setting for "file_with_plugin" highlighting a new fmplugin extended privilege

In older files, you can add it manually to benefit from the same level of protection.

In your privilege sets, the extended privilege is turned off by default. A plugin trying to run a script or execute a SQL query from another file is not allowed and will fail.

Screenshot of the "Edit Privilege Set" window pointing to the "Validate cross-file plug-in acess (fmplugin) checkbox

So far, so good, loophole closed.

But what if you have a genuine need to allow a plugin from one file to work with another file?

You have some options to allow this to happen. FileMaker will evaluate different settings in a preset order to determine whether the plugin call is allowed.

The first option is to grant file-level authorization. With the fmplugin privilege in the target file unchecked, executing the plugin call will prompt you for authorization. If you decline, the call will fail.

Screenshot of the dialog prompting you for authorization

If you have Set Error Capture On, the call will silently fail, and Get(LastError) will remain 0. You will need to check the output from the plugins to check for errors. Each plugin reports this differently.

Screenshot of the Data Viewer

Authorizing Two Files

If you authorize the two files (which requires Full Access rights to the target file), the fmplugin setting will no longer play a role in any future plugin calls; you have explicitly given the authorization to use the target file from the source file.

Note that this is a very broad authorization; it applies to other actions such as creating a file reference to the target file, adding TOs for base tables of the target file into the source file. Use this option carefully.

If you do not want to authorize the two files at this high level and you want some more fine-grained control over the permissions, then you can choose to enable the fmplugin extended privilege of the user’s privilege set in the target file:

Screenshot of the "Edit Privilege Set" enabling fmplugin in the user's privilege set in the target file

When you do that, all plugin calls are allowed, provided that you are logged into the target file with an account that has a privilege set with the fmplugin extended privilege turned on. This allows calls from any plugin. And perhaps that is still not granular enough; perhaps you only want to allow calls from a particular plugin.

Creating a New Extended Privilege

To make that work, you need to create a new extended privilege that starts with fmplugin and appends the unique 4-character code of the plugin.

You can get that code from the plugin vendor, or if you are running FileMaker Pro 19.2.2 or later, you can use the new Get(InstalledFMPluginsAsJSON) function to retrieve the code. The code is listed as id in the JSON section for the plugin you want to allow:

Screenshot of the Get(InstalledFMPluginsAsJSON) function the 'id" in the JSON section

In your FileMaker file, add an extended privilege for the BaseElements plugin by appending that code to the fmplugin string (note that the plugin vendor code is case sensitive):

Screenshot of the "Edit Extended Privilege" window adding an extended privilege for the BaseElements plugin

And make sure it is selected for the privilege set of the account used by the target file and uncheck the generic fmplugin extended privilege:

Screenshot of the "Edit Privilege Set" window with arrow point to the "allow BE plugin (fmpluginGyBE) checkbox

With this, you would expect that calls originating from the source file that use the BaseElements plugin will work. Those from the MBS plugin will fail.
But that is not the case. Both will still fail.

FileMaker scans the extended privileges in order; the first one it reads here is the generic fmplugin, set to disallow all plugin calls. FileMaker will stop at this setting and block the plugins from proceeding.

You will have to delete the fmplugin extended privilege to make sure FileMaker can evaluate the custom privilege for the BaseElements plugin. After deleting the fmplugin extended privilege, only the BaseElement-specific one remains in the user’s privilege set:

Screenshot of the Edit Privilege Set window pointed to the "allow BE plugin (fmpluginGyBE) checkbox

The BaseElements call from the source file will now succeed (result = 0, which is BaseElement’s version of “ok”). The MBS plugin call will fail:

Screenshot of the Script Debugger and Data Viewer

Different levels of protection kick in depending on the combination of the available settings.

Scenarios in Which the BaseElement Plugin Call My Fail

Here are some scenarios in which the BaseElements plugin call may fail (assuming no file-level authorization has been set):

In the user’s privilege set
(in the target file)
Reason why the call from the BaseElements plugin will fail:
Screenshot zoomed in on the "Validate cross-file plug-in access (fmplugin) checkbox
  • Its specific fmpluginGyBE extended privilege is listed first, and it is disabled. When the target file receives a call from the plugin, it will stop there. The generic fmplugin setting does not get evaluated.
  • The MBS plugin call will work because it does not have a specific extended privilege; the enabled generic fmplugin covers it.
Screenshot zoomed in on the "allow BE plugin (fmpluginGyBE) checkbox
  • The generic fmplugin extended privilege is disabled, and when the call from the plugin comes in, FileMaker will stop there.
  • The MBS plugin call will also fail.

Let’s recap how the decision is made in this decision tree:

Screenshot of the decision tree plugin call from source file to target file

Conclusion

The fmplugin and fmpluginXXXX features close an important potential loophole in your solution’s security. We highly recommend evaluating how this could affect your solutions and whether you can use this to tighten up the security in your apps.

In order to benefit from this enhanced protection, your clients need to be running at least 19.2.1. If this level of protection is important to your solution, set the minimum version required to open your solution in your file’s options to 19.2.

Screenshot of the File Optios for "plugin_target" with "19.2" enterd for the minimum version of FileMaker allowed for opening the file

Contact our team to learn more about this feature and how to implement it in your FileMaker solution.

Wim Decorte

Wim Decorte

Wim is Director, Claris Practice at Soliant. He is a FileMaker 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17 and 18 Certified FileMaker Developer and the author of numerous Tech Briefs and articles on FileMaker Server. Wim is one of the very few multiple FileMaker Excellence Award winners and was most recently awarded the FileMaker Community Leader of the Year award at the 2015 FileMaker Developer Conference. He is also a frequent speaker at the FileMaker Developer Conference and at FileMaker Developer groups throughout the world. In addition to being a renowned expert on FileMaker Server, Wim also specializes in integrating FileMaker with other applications and systems. His pet project is the open source fmDotNet connector class that he created.

One Comment

Leave a Reply