链接到 Apex 方法的 CSRF 安全自定义按钮 [英] CSRF safe Custom button linked to Apex method

问题描述

我正在寻找一种技术，通过添加到 Opportunity 对象的自定义按钮执行 Apex 代码，以保护用户免受 CSRF 的影响.

I'm looking for a technique to execute Apex code from a custom button added to the Opportunity object in a way that protects the user against CSRF.

当前使用的方法来自问题 - 自定义按钮或链接到带有自定义控制器的 Visualforce 页面.本质上:

The current approach being used comes from the question - Custom Button or Link to a Visualforce page with a custom controller. Essentially:

1. 有一个机会自定义按钮，内容源设置为Visualforce 页面".
2. 此按钮的内容设置为 Visualforce 页面，该页面将 Opportunity 用于标准控制器，输入了扩展顶点类和该类中方法的操作
3. action 方法返回一个 PageReference 到另一个自定义 Visualforce 页面，包括添加一个带有机会 ID 的参数.
4. 第二个自定义 Visualforce 页面执行大部分实际工作，包括在将用户重定向回商机之前进行 Web 服务标注和执行 DML 操作.

这种方法的问题在于，第二个自定义 Visualforce 页面是通过 HTTP GET 检索的，从查询字符串中提取参数，并在没有 CSRF 保护的情况下执行更新/插入 DML 操作.Force.com 安全源代码扫描程序正在获取此信息.

The issue with this approach is that the second custom Visualforce page is retrieved via an HTTP GET, pulls parameters from the query string, and performs update/insert DML operations with no CSRF protection. This is being picked up by the Force.com Security Source Code Scanner.

我应该补充一点，此 apex 代码同时部署为托管和非托管包，因此需要额外的工作来使用 PageReference 重定向到目标 Visualforce 页面.这可确保在需要时添加命名空间前缀.

I should add that this apex code is deployed as both a managed and a unmanaged package, hence the extra work to redirect to the target Visualforce Page using a PageReference. This ensures the namespace prefix is added if required.

如何避免 CSRF 问题?

How can I avoid the CSRF issue?

我不想将带有按钮的表单添加到第二个 visualforce 页面，他们必须按下该按钮才能启动该过程(因此在回发中选择 ViewStateCSRF 保护).从用户的角度来看，他们已经按下了按钮来执行操作.

I don't want to add a form to the second visualforce page with a button that they must press to start the process (and hence picking up the ViewStateCSRF protection in the postback). From the users perspective they have already pressed the button to perform the operation.

我之前在开发者力量论坛上问过这个问题，但没有提出解决方案 - 跨站请求伪造 (CSRF/XSRF) 安全自定义按钮操作

I've asked this question before on the developer force forum and didn't come up with a solution - Cross-Site Request Forgery (CSRF/XSRF) safe Custom Button action

也许我应该尝试将第二个视觉力页面的代码移出控制器，并改为使用支架控制器的扩展?

Perhaps I should be trying to move the code out of the controller for the second visual force page and using the extension to the stand controller instead?

我可以切换到 Apex Web 服务的 Javascript 回调(如 从自定义按钮调用 apex 方法 和 如何调用来自自定义按钮的 APEX 方法)，但它似乎有点混乱，我不确定我是否只是打开了网络服务的另一范围安全问题.

I could switch to a Javascript callback to an Apex Web Service (as suggested in Call a apex method from a custom button and How invoke APEX method from custom button), but it seems a bit messy and I'm not sure if I'd just be opening up another range of security issues with the web service.

推荐答案

我与 Salesforce 预订了合作伙伴安全办公时间，并直接与他们讨论了这个问题.

I booked Partner Security Office Hours with Salesforce and discussed this issue directly with them.

如果需要 CSRF 保护(即发布到 App Exchange)，目前不支持我尝试做的事情.他们提出了两种替代方法:

What I'm trying to do isn't currently supported if CSRF protection is required (I.e. to publish to the App Exchange). They suggested two alternative approaches:

1. 在触发敏感 Apex 代码的 Visualforce 页面中创建一个中间表单.因此选择了内置的 CSRF 保护.
2. 覆盖商机详细信息页面(使用 apex:Details 显示类似信息).这个新的 Visualforce 页面将包含一个类似的表单回发到选项 1，以调用敏感的 APEX 代码并获得自动 CSRF 保护.

<小时>

另一种不使用自定义按钮的方法是嵌入/内联 Visualforce 页面(请参阅 在标准布局上嵌入页面) 仅包含标准页面布局中所需的按钮.

---

Another approach that doesn't use custom buttons is to embed/inline a Visualforce page (see Embed a Page on a Standard Layout) containing just the required button within the standard page layout.

嵌入式 Visualforce 页面必须使用标准对象控制器(在我的例子中是机会)才能出现在标准页面布局上的可用 Visualforce 页面列表中.Visualforce 页面本身可以非常小，在 中只有一个 commandButton.Visualforce 页面的标签也可以显示在页面布局中.

The embedded Visualforce page must use the standard object controller (Opportunity in my case) to appear in the list of available Visualforce pages on the standard page layout. The Visualforce page itself can be very minimal with just a commandButton inside a <apex:form>. The label of the Visualforce page can also be displayed in the page layout.

<apex:page id="embeddedPage" StandardController="Opportunity" extensions="OpportunityExtensionController" showHeader="false" standardStylesheets="true">
<apex:form >
    <apex:commandButton value="CSRF Safe Button" action="someMethodInTheExtensionClass" />
</apex:form>

public with sharing class OpportunityExtensionController {

    private final Opportunity opportunityFromController;

    public OpportunityExtensionController(ApexPages.StandardController controller) {
        opportunityFromController = (Opportunity)controller.getRecord();        
    }

    public PageReference someMethodInTheExtensionClass() {

        // Perform directly here within the postback rather than redirecting to another page to prevent against XSRF

        System.debug('opportunityFromController.Id:' + opportunityFromController.Id);
    }
}

这应该可以防止 CSRF，因为 commandButton 将拾取com.salesforce.visualforce.ViewStateCSRF"隐藏输入，并在生成的 iframe 内将帖子发回服务器.

This should protect against CSRF as the commandButton will pick up the "com.salesforce.visualforce.ViewStateCSRF" hidden input with the post back to the server inside the resulting iframe.

我提出了一个想法 从标准实体详细信息页面调用 Apex 代码CSRF 保护，看看他们是否可以通过自定义按钮直接添加对此的支持.

I've raised the Idea Invoking Apex code from the standard Entity Details pages with CSRF protection to see if they can add support for this directly with custom buttons.

这篇关于链接到 Apex 方法的 CSRF 安全自定义按钮的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！