[Security] Arbitrary code execution through unrestricted DLL scanning in PluginDiscovery

[pournasserian]

Summary

PluginDiscovery.Scan() resolves the scan path from Assembly.GetExecutingAssembly().Location / Environment.ProcessPath and enumerates all *.dll files in the application's output directory that match ScanAssemblyPatterns (default: FluentCMS.Plugins.*). Any DLL placed in that directory will be loaded and executed with the application's full trust level on next startup.

Location

Plugins/FluentCMS.Infrastructure.Plugins/Discovery/PluginDiscovery.cs — Scan() method (~line 42)

Risk

A supply-chain or filesystem-level attacker can drop a malicious DLL matching the naming pattern and have arbitrary code execute at application startup. There is no:

• File signature / hash verification
• Allowlist of trusted publishers (Authenticode)
• Sandbox or isolated execution

Reproduction

1. Build the host application.
2. Copy a malicious DLL named FluentCMS.Plugins.Evil.dll into the output directory.
3. Restart the application — the DLL is discovered, loaded, and any IPluginStartup implementation executes.

Recommendation

1. Allow operators to configure an explicit, out-of-tree plugin directory instead of defaulting to the host binary directory:

   options.PluginDirectory = "/opt/myapp/plugins"; // separate from binaries

2. Optionally add file hash verification or Authenticode certificate validation before loading each assembly.
3. Consider a plugin allowlist (name + expected hash) stored in a protected configuration location.

Severity

🔴 Critical / Security