Force.com-Toolkit-for-NET icon indicating copy to clipboard operation
Force.com-Toolkit-for-NET copied to clipboard
verified publisher icon wadewegner

Xml injection vulnerability in SObject

Open aaron-henselin opened this issue 5 years ago • 2 comments

Strings are not XmlEncoded when an SObject is encoded. This leads to "records not processed" exceptions when fields contain xml characters.

This should be considered a security issue as tag injection & mass assignment is possible as a result. Proof of concept attack available on request.

aaron-henselin avatar Aug 30 '20 20:08 aaron-henselin

Oh, I'm so glad you reported this. I have been encountering this error so I guess I need to sanitize my fields.

Salesforce.Common.ForceException: Records not processed
   at Salesforce.Common.XmlHttpClient.HttpGetAsync[T](Uri uri)
   at Salesforce.Common.XmlHttpClient.HttpGetAsync[T](String urlSuffix)
   at Salesforce.Force.ForceClient.GetBatchResultAsync(String batchId, String jobId)
   at Salesforce.Force.ForceClient.GetBatchResultAsync(BatchInfoResult batchInfo)
   at Salesforce.Force.ForceClient.RunJobAndPollAsync[T](String objectName, String externalIdFieldName, OperationType operationType, IEnumerable`1 recordsLists)
   at DragnetTech.EventProcessors.SalesForce.SFDCApi.RunJobAndPollAsync(String recordtype, String externalIdFieldName, OperationType operationType, List`1 batchList) in C:\BuildAgent\work\cd2eb89e93c72895\Functions\DragnetTech.EventProcessors\SalesForce\SFDCApi.cs:line 80

PaulDMendoza avatar Sep 01 '20 17:09 PaulDMendoza

If you're OK with creating your own version of 'SObject', here is the associated PR:

https://github.com/wadewegner/Force.com-Toolkit-for-NET/pull/387/files

aaron-henselin avatar Sep 01 '20 18:09 aaron-henselin