Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible Server-Side Request Forgery vulnerability #1626

Open
Chris-Paul3625 opened this issue Jan 21, 2025 · 2 comments
Open

Possible Server-Side Request Forgery vulnerability #1626

Chris-Paul3625 opened this issue Jan 21, 2025 · 2 comments

Comments

@Chris-Paul3625
Copy link

flow_action_components/CloneAndTweak/force-app/main/default/classes/GetFlowMetadata.cls, line 83
Unsanitized input from a SOQL statement flows into setendpoint, where it is used as an URL to perform a request. This may result in a Server-Side Request Forgery vulnerability.
@ericrsmith35
Copy link
Collaborator

@Chris-Paul3625 Do you have a suggested solution?

@Chris-Paul3625
Copy link
Author

Hello Eric,
This vulnerability came on our scan of the package. While I am not a dev a few things that could resolve this would be to
Ensure that any user-provided input is validated and sanitized before being used in the setEndpoint method. Define a strict whitelist of allowed URLs or patterns that are acceptable for your application. For example:

Use regular expressions to allow only specific domain names.
Restrict input to a list of predefined endpoints.

Additionally our system offered up the following:

Named Credentials: Use Salesforce Named Credentials to manage external endpoint configuration. Named Credentials abstract the endpoint and authentication, reducing the risk of SSRF.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ericrsmith35 @Chris-Paul3625