Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

CSRF safe Custom button linked to Apex method

Tags:

csrf

salesforce

apex-code

visualforce

I'm looking for a technique to execute Apex code from a custom button added to the Opportunity object in a way that protects the user against CSRF.

The current approach being used comes from the question - Custom Button or Link to a Visualforce page with a custom controller. Essentially:

  1. There is an Opportunity Custom Button with the Content Source set to "Visualforce Page".
  2. The Content for this button is set to a Visualforce page that uses Opportunity for the standardController, has an extension apex class entered and an action for a method in that class
  3. The action method returns a PageReference to another custom Visualforce page, including adding a parameter with the Opportunity Id.
  4. This second custom Visualforce page does the bulk of the actual work, including making web service callouts and performing DML operations before redirecting the user back to the Opportunity.

The issue with this approach is that the second custom Visualforce page is retrieved via an HTTP GET, pulls parameters from the query string, and performs update/insert DML operations with no CSRF protection. This is being picked up by the Force.com Security Source Code Scanner.

I should add that this apex code is deployed as both a managed and a unmanaged package, hence the extra work to redirect to the target Visualforce Page using a PageReference. This ensures the namespace prefix is added if required.

How can I avoid the CSRF issue?

I don't want to add a form to the second visualforce page with a button that they must press to start the process (and hence picking up the ViewStateCSRF protection in the postback). From the users perspective they have already pressed the button to perform the operation.

I've asked this question before on the developer force forum and didn't come up with a solution - Cross-Site Request Forgery (CSRF/XSRF) safe Custom Button action

Perhaps I should be trying to move the code out of the controller for the second visual force page and using the extension to the stand controller instead?

I could switch to a Javascript callback to an Apex Web Service (as suggested in Call a apex method from a custom button and How invoke APEX method from custom button), but it seems a bit messy and I'm not sure if I'd just be opening up another range of security issues with the web service.

like image 859
Daniel Ballinger Avatar asked May 30 '12 03:05

Daniel Ballinger

People also ask

Can I use ‘action’ attribute on apex page and CSRF attacks?

WARNING: Use of ‘action’ attribute on apex:page and CSRF Attacks. If you use the ‘ action ‘ attribute as per step 4 your Apex code will execute as soon as the Custom Button is pressed. However if your Apex code performs database updates this is considered unsecured as its possible that your code will be open to a CSRF attack.

Is it possible to require CSRF protection on GET requests?

Currently however, the new ‘ Require CSRF protection on GET requests ‘ checkbox on the Visualforce page is only considered when the page is used to override the standard Delete button on an object. Hopefully support for Custom Button will arrive soon!

How do I add a custom button to an apex page?

Create a Visualforce page, using the ‘standardController‘ and ‘extensions‘ attributes on apex:page *. Create a Custom Button using the Visualforce page as its Content Source. Add the Custom Button to the appropriate Layout of the object. Use either the ‘action‘ attribute (see warning below) or apex:commandButton‘s on your page to invoke Apex logic.

How to call apex controller from VF page?

Goto --> Setup --> Object --> Buttons, links and Actions section-->Click New Button or Link. You need to create action function in vf page which will call apex, action function will be called by js. So indirectly you are calling apex from js. Hope this helps. You have to make use of AJAX toolkit to call the method in Apex Controller.

1 Answers

I booked Partner Security Office Hours with Salesforce and discussed this issue directly with them.

What I'm trying to do isn't currently supported if CSRF protection is required (I.e. to publish to the App Exchange). They suggested two alternative approaches:

  1. Create an intermediate form in a Visualforce page that triggers the sensitive Apex Code. Hence picking up the built in CSRF protection.
  2. Override the Opportunity Detail page (using apex:Details to display similar information). This new Visualforce page would include a similar form post back to option 1 to invoke the sensitive APEX code and get automatic CSRF protection.

Another approach that doesn't use custom buttons is to embed/inline a Visualforce page (see Embed a Page on a Standard Layout) containing just the required button within the standard page layout.

The embedded Visualforce page must use the standard object controller (Opportunity in my case) to appear in the list of available Visualforce pages on the standard page layout. The Visualforce page itself can be very minimal with just a commandButton inside a <apex:form>. The label of the Visualforce page can also be displayed in the page layout.

<apex:page id="embeddedPage" StandardController="Opportunity" extensions="OpportunityExtensionController" showHeader="false" standardStylesheets="true">
<apex:form >
    <apex:commandButton value="CSRF Safe Button" action="someMethodInTheExtensionClass" />
</apex:form>


public with sharing class OpportunityExtensionController {

    private final Opportunity opportunityFromController;

    public OpportunityExtensionController(ApexPages.StandardController controller) {
        opportunityFromController = (Opportunity)controller.getRecord();        
    }

    public PageReference someMethodInTheExtensionClass() {

        // Perform directly here within the postback rather than redirecting to another page to prevent against XSRF

        System.debug('opportunityFromController.Id:' + opportunityFromController.Id);
    }
}

This should protect against CSRF as the commandButton will pick up the "com.salesforce.visualforce.ViewStateCSRF" hidden input with the post back to the server inside the resulting iframe.

I've raised the Idea Invoking Apex code from the standard Entity Details pages with CSRF protection to see if they can add support for this directly with custom buttons.

like image 134
Daniel Ballinger Avatar answered Sep 30 '22 13:09

Daniel Ballinger
Sign in to Comment

Related questions

How can I parse a String and return an Enum value in Apex Code?
CSS, Salesforce, ExtJS, and the blues
SalesForce API query doesn't show custom fields
Soql query to retrieve opportunities between two dates
RForcecom accessing unknown field names
parent-child relationship query in simple_salesforce python, extracting from ordered dicts
How can I get the key as well as the value in an apex for loop?
Salesforce php REST API with automatic login
How to get just the system.debug output when executing code?
How do I request a single random row from a force.com database in SOQL?
Fire a update trigger when particular field is updated
How to show only extracted error message from Custom Validation on a Visualforce Page?
Salesforce Refresh Token OAuth
Error with SalesForce authentication from C# Client(s)
array length in Salesforce
How do I introspect the class of a variable in APEX?
Salesforce MobileSDK: The Rest API is not enabled for this Organization
After Update Trigger pending Approval request OriginalActorId
Does Azure ACS support saml 2.0 IdPs like Salesforce?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!