I'm looking for a technique to execute Apex code from a custom button added to the Opportunity object in a way that protects the user against CSRF.
The current approach being used comes from the question - Custom Button or Link to a Visualforce page with a custom controller. Essentially:
There is an Opportunity Custom Button with the Content Source set to "Visualforce Page".
The Content for this button is set to a Visualforce page that uses Opportunity for the standardController, has an extension apex class entered and an action for a method in that class
The action method returns a PageReference to another custom Visualforce page, including adding a parameter with the Opportunity Id.
This second custom Visualforce page does the bulk of the actual work, including making web service callouts and performing DML operations before redirecting the user back to the Opportunity.
The issue with this approach is that the second custom Visualforce page is retrieved via an HTTP GET, pulls parameters from the query string, and performs update/insert DML operations with no CSRF protection. This is being picked up by the Force.com Security Source Code Scanner.
I should add that this apex code is deployed as both a managed and a unmanaged package, hence the extra work to redirect to the target Visualforce Page using a PageReference. This ensures the namespace prefix is added if required.
How can I avoid the CSRF issue?
I don't want to add a form to the second visualforce page with a button that they must press to start the process (and hence picking up the ViewStateCSRF protection in the postback). From the users perspective they have already pressed the button to perform the operation.
I've asked this question before on the developer force forum and didn't come up with a solution - Cross-Site Request Forgery (CSRF/XSRF) safe Custom Button action
Perhaps I should be trying to move the code out of the controller for the second visual force page and using the extension to the stand controller instead?
I could switch to a Javascript callback to an Apex Web Service (as suggested in Call a apex method from a custom button and How invoke APEX method from custom button), but it seems a bit messy and I'm not sure if I'd just be opening up another range of security issues with the web service.
I booked Partner Security Office Hours with Salesforce and discussed this issue directly with them.
What I'm trying to do isn't currently supported if CSRF protection is required (I.e. to publish to the App Exchange). They suggested two alternative approaches:
Create an intermediate form in a Visualforce page that triggers the sensitive Apex Code. Hence picking up the built in CSRF protection.
Override the Opportunity Detail page (using apex:Details to display similar information). This new Visualforce page would include a similar form post back to option 1 to invoke the sensitive APEX code and get automatic CSRF protection.
Another approach that doesn't use custom buttons is to embed/inline a Visualforce page (see Embed a Page on a Standard Layout) containing just the required button within the standard page layout.
The embedded Visualforce page must use the standard object controller (Opportunity in my case) to appear in the list of available Visualforce pages on the standard page layout. The Visualforce page itself can be very minimal with just a commandButton inside a <apex:form>. The label of the Visualforce page can also be displayed in the page layout.
<apex:page id="embeddedPage" StandardController="Opportunity" extensions="OpportunityExtensionController" showHeader="false" standardStylesheets="true">
<apex:form >
<apex:commandButton value="CSRF Safe Button" action="someMethodInTheExtensionClass" />
</apex:form>
public with sharing class OpportunityExtensionController {
private final Opportunity opportunityFromController;
public OpportunityExtensionController(ApexPages.StandardController controller) {
opportunityFromController = (Opportunity)controller.getRecord();
}
public PageReference someMethodInTheExtensionClass() {
// Perform directly here within the postback rather than redirecting to another page to prevent against XSRF
System.debug('opportunityFromController.Id:' + opportunityFromController.Id);
}
}
This should protect against CSRF as the commandButton will pick up the "com.salesforce.visualforce.ViewStateCSRF" hidden input with the post back to the server inside the resulting iframe.
I've raised the Idea Invoking Apex code from the standard Entity Details pages with CSRF protection to see if they can add support for this directly with custom buttons.
Why don't you use a JavaScript button in the first place to launch the second page? Bypass the first page altogether.
Salesforce will apply merging to the script before rendering (so you can use {!Opportunity.Id} to include opp id in the second URL) and you can simply redirect the browser to your second page.
Related
I am fixing soql injection errors in my Salesforce org. How do I find out where that page is being called from in Salesforce? I tried looking at the 'Where is this used?" button under setup/Visualforce page/edit/ and it just shows me the test that it is being called from. I checked the show dependencies and it shows me the controller that it is associated with. I can't seem to figure how I can access the page in Salesforce so I can do a manual test on it.
Create a sandbox and try to delete it in there. If page is "properly" used - dependency should block the delete. Can be custom VF tab, button, link, embed on page layout as iframe... Can even be in community or Site as a login page for example.
If you have the project in git or sfdx you could try searching for page's API name.
But pages can be also accessed freestyle, in classic UI you used to just /apex/vfpagename in the address bar. In lightning it's bit more complex but doable for a determined user.
If you want to block access while you fix it - remove right to use the page from profiles / permission sets.
https://salesforce.stackexchange.com/a/12672/799
https://lightning-configuration.salesforce.com used to give some info about VF pages usage (count of hits I think) and there's whole Event Monitoring module paid extra (standalone or as part of Salesforce Shield) too
We are planning to migrate our users from Classic to Lightning with a phased roll out. That means we need to retain all the behaviours of Classic and Lightning in parallel for a period of time.
That's working well, except for Button Overrides. There doesn't appear to be a way of configuring Lightning to use the standard edit behaviour, while Classic retains an edit form override. For classic the options available are No Override, Custom S-Control and Visual Force Page. However, the only options available for Lightning are Lightning Component or Use the Salesforce Classic override. There's no option for No Override.
We tried writing a custom Aura component to re-direct to the edit page with ?nooverride=1 but that doesn't work - the user is re-directed, but once the edit page is closed and saved, the user is left on a blank page, not re-directed back to the view of the edited page.
Does anyone have a workaround, or explanation as to why this seems not to be possible ?
whenever you specify a Url as a retURL parameter Salesforce will redirect to that url.
Now in Salesforce Classic view page means xxx.salesforce.com/IdOfRecordToView so You can try retURL parameter in URL with the value of Salesforce Record id which you are editing
example : xxx.salesforce.com/a010000000000qn/e?retURL=%2Fa010000000000qn&nooverride=1
I know this feature is available for the old Salesforce UI, but couldn't find anywhere how to pre-populate recipients using Docusign Lightning component.
Has anybody been able to solve it?
With SalesForce "classic" you could use a JavaScript button to prepopulate recipient info when the DocuSign Envelope is created. However, it appears that SalesForce Lightening does not support JavaScript buttons.
To customize "Send with DocuSign" behavior in SalesForce Lightening, you might try the following approach:
Create a Visualforce page that launches an APEX class controller that opens a URL.
Create a class to define that controller.
Create a new action on the opportunity and associate the Visualforce page to the action.
Add the Action to the appropriate area on the Opportunity page layout.
You can find a code sample for this type of implementation on this thread in the SalesForce Developer forum: https://developer.salesforce.com/forums/?id=906F0000000BWr4IAG. And, this other SO post shows an attempt to implement this approach to customize the Send with Docusign behavior: Customize "Send With Docusign" in Salesforce Lightning.
Note: I'm not a SalesForce developer and this answer is simply recommending an approach that others seem to have used in the scenario you've described.
To run analytics javascript on every salesforce page I want to insert Javascript in every page.
So far I read about a couple of different methods:
home page component
a HTML Home page component (need to customize UI to show the components on every page)
limitations: does not work for Chatter, Reports and Setup
possible issue: these comments indicate problems with 'winter 13'
Custom Button with Javascript
(don't know much about this yet) sound like one has to create/assign the buttons to object-types)
Custom APEX controller?
How would this work?
Visualforce page ??
How would this work?
To my understanding it would be possible to replace everything with visualforce pages, but this is obviously not very elegant/maintainable.
I'm curious to see what other methods there are, in partciular by modifying the controller?
What other things to consider (downsides, risks) with the presented methods?
Sidebar component sounds best suited for that to be honest.
Any button/link you'll add to object detail pages will both require clicking on it(!) and won't work on "tab view", "new record" or "edit" pages. You could override most of them with VF pages but that's A LOT of work and there's no way you'll be able to customize UI of these special places: Chatter, Console tab, Reports,Dashboard.
I'm not sure what do you mean by "modifying the controller", there's no such global thing you'd have access to.
There's option of embedding a small VF page into page layout of every detail page but it's equally limited in terms of maintenance and not being present on the new/edit pages.
There are better analytics options for Force.com Sites (not the least of them being the <site:googleAnalyticsTracking/> tag). You should also receive a monthly newsletter (typically with 2-3 month's delay) summarizing usage of your Salesforce instance, user adoption, areas to explore etc. If you don't - check your User's "receive salesforce newsletter" etc settings.
I want to add new section to the leads to call api request depending on the lead website url
It's something like creating the web-based tab, but I want to ad inside the leads to get data from a website depending on the lead website url
You can have VisualForce pages inline in a page layout, but the height is fixed and I generally don't find it to be an elegant solution, but it may work well in your case depending on what information you're bringing back and whether the length needs to be dynamic.
I'd implement this as a Visualforce page, and then use a formula field on the link to create a link to the page based on the Lead's URL. Users could then click this link to popup a new window with your page and information.