链接到Apex方法的CSRF安全自定义按钮 [英] CSRF safe Custom button linked to Apex method
问题描述
我正在寻找一种技术,该技术可以通过添加到机会对象中的自定义按钮来执行Apex代码,从而保护用户免受CSRF的侵害.
I'm looking for a technique to execute Apex code from a custom button added to the Opportunity object in a way that protects the user against CSRF.
当前使用的方法来自以下问题-.本质上:
The current approach being used comes from the question - Custom Button or Link to a Visualforce page with a custom controller. Essentially:
- 有一个机会自定义按钮,其内容源设置为"Visualforce页面".
- 此按钮的内容设置为一个Visualforce页面,该页面使用Opportunity作为standardController,输入了扩展顶点类以及该类中方法的操作
- action方法将PageReference返回到另一个自定义Visualforce页面,包括添加带有机会ID的参数.
- 第二个自定义Visualforce页面完成了大部分实际工作,包括进行Web服务标注以及在将用户重定向回商机之前执行DML操作.
此方法的问题在于,第二个自定义Visualforce页面是通过HTTP GET检索的,从查询字符串中提取参数,并在没有CSRF保护的情况下执行更新/插入DML操作. Force.com安全源代码扫描程序正在对此进行提取.
The issue with this approach is that the second custom Visualforce page is retrieved via an HTTP GET, pulls parameters from the query string, and performs update/insert DML operations with no CSRF protection. This is being picked up by the Force.com Security Source Code Scanner.
我应该补充一点,此先端代码既作为托管程序包也作为非托管程序包部署,因此需要使用PageReference重定向到目标Visualforce Page的额外工作.这样可以确保在需要时添加名称空间前缀.
I should add that this apex code is deployed as both a managed and a unmanaged package, hence the extra work to redirect to the target Visualforce Page using a PageReference. This ensures the namespace prefix is added if required.
如何避免CSRF问题?
How can I avoid the CSRF issue?
我不想使用一个按钮将表单添加到第二个visualforce页面,他们必须按下按钮才能开始该过程(因此需要在回发中获取ViewStateCSRF保护).从用户的角度来看,他们已经按下了按钮来执行操作.
I don't want to add a form to the second visualforce page with a button that they must press to start the process (and hence picking up the ViewStateCSRF protection in the postback). From the users perspective they have already pressed the button to perform the operation.
I've asked this question before on the developer force forum and didn't come up with a solution - Cross-Site Request Forgery (CSRF/XSRF) safe Custom Button action
也许我应该尝试将代码移出第二个视觉力页面的控制器,而改为使用支架控制器的扩展名?
Perhaps I should be trying to move the code out of the controller for the second visual force page and using the extension to the stand controller instead?
我可以切换到Apex Web服务的JavaScript回调(如如何调用自定义按钮中的APEX方法),但似乎有点混乱,我不确定是否要通过Web服务来解决其他一系列安全问题.
I could switch to a Javascript callback to an Apex Web Service (as suggested in Call a apex method from a custom button and How invoke APEX method from custom button), but it seems a bit messy and I'm not sure if I'd just be opening up another range of security issues with the web service.
推荐答案
我与Salesforce预订了合作伙伴安全办公时间,并直接与他们讨论了此问题.
I booked Partner Security Office Hours with Salesforce and discussed this issue directly with them.
如果需要CSRF保护(即发布到App Exchange),当前不支持我尝试执行的操作.他们提出了两种替代方法:
What I'm trying to do isn't currently supported if CSRF protection is required (I.e. to publish to the App Exchange). They suggested two alternative approaches:
- 在Visualforce页面中创建一个触发敏感的Apex代码的中间表单.因此,选择内置的CSRF保护.
- 覆盖商机详细信息"页面(使用apex:Details显示类似信息).这个新的Visualforce页面将包含一个类似的表格,该表格回传到选项1,以调用敏感的APEX代码并获得自动CSRF保护.
不使用自定义按钮的另一种方法是嵌入/内嵌Visualforce页面(请参见在标准布局中嵌入页面,仅在标准页面布局中包含所需的按钮.
Another approach that doesn't use custom buttons is to embed/inline a Visualforce page (see Embed a Page on a Standard Layout) containing just the required button within the standard page layout.
嵌入式Visualforce页面必须使用标准对象控制器(在我的情况下为机会)才能出现在标准页面布局上的可用Visualforce页面列表中.仅在<apex:form>内使用commandButton,Visualforce页面本身可以非常小. Visualforce页面的标签也可以显示在页面布局中.
The embedded Visualforce page must use the standard object controller (Opportunity in my case) to appear in the list of available Visualforce pages on the standard page layout. The Visualforce page itself can be very minimal with just a commandButton inside a <apex:form>. The label of the Visualforce page can also be displayed in the page layout.
<apex:page id="embeddedPage" StandardController="Opportunity" extensions="OpportunityExtensionController" showHeader="false" standardStylesheets="true">
<apex:form >
<apex:commandButton value="CSRF Safe Button" action="someMethodInTheExtensionClass" />
</apex:form>
public with sharing class OpportunityExtensionController {
private final Opportunity opportunityFromController;
public OpportunityExtensionController(ApexPages.StandardController controller) {
opportunityFromController = (Opportunity)controller.getRecord();
}
public PageReference someMethodInTheExtensionClass() {
// Perform directly here within the postback rather than redirecting to another page to prevent against XSRF
System.debug('opportunityFromController.Id:' + opportunityFromController.Id);
}
}
这应该防止CSRF,因为commandButton会拾取隐藏的"com.salesforce.visualforce.ViewStateCSRF"输入,并将帖子发回到结果iframe中的服务器.
This should protect against CSRF as the commandButton will pick up the "com.salesforce.visualforce.ViewStateCSRF" hidden input with the post back to the server inside the resulting iframe.
我提出了这个想法从标准实体详细信息"页面调用Apex代码, CSRF保护,看看他们是否可以使用自定义按钮直接添加对此的支持.
I've raised the Idea Invoking Apex code from the standard Entity Details pages with CSRF protection to see if they can add support for this directly with custom buttons.
这篇关于链接到Apex方法的CSRF安全自定义按钮的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
