Closed PhilipMorris-SW closed 3 years ago
dschach
commented
4 years ago As an open-source project, you have access to all the code and can do your own assessment. SAST reports are irrelevant when related to an open-source application. If you have concerns, please see the code in this repository. If you need to request an SAST report from Salesforce, please contact them directly.
PhilipMorris-SW
commented
4 years ago Hi @dschach
Its used as a managed app from the appexchange , where we won't update the code.
So please check again what is your responsibility regarding this ( either its an issue you need to address or do you consider this is a false positive test)
Full details on this security issue :
Query: Stored XSS
A cross-site scripting weakness occurs when dynamically generated web pages display unvalidated, unfiltered, and unencoded user input allowing an attacker to embed malicious scripts into the generated page. This can be leveraged to execute scripting code as if it came from the site's server on the computer of anyone who uses the site. This may be a false positive if the datatype is safe to render unescaped (such as an integer or rich text field).
References:
https://developer.salesforce.com/page/Secure_Coding_Cross_Site_Scripting
https://www.owasp.org/index.php/Cross_Site_Scripting
Stored XSS result path 1:
Object:
getsurvey_header__c
in file:
pages/TakeSurvey.page
L 30:
jrattanpal
commented
4 years ago @PhilipMorris-SW
That package you installed from AppExchange is un-managed package. Once it was installed, you own it. You have complete control over the code and can change it in any way you want.
I will keep this issue open and look into the area you mention when I get time. However, even if I update the package, you will not be able to upgrade it because it's un-managed package.
You still have to manually change the code as needed.
jrattanpal
commented
4 years ago I checked the code. I saved "SurveyForce Sample Survey test" as Header.
When this is rendered, you see those HTML tags as is because, if you look into "View Source", it shows up as "SurveyForce Sample Survey <strong>test</strong>".
So when Survey header is stored, HTML tags are converted to their literal form. WHether you use escape="true" or "false", it will show up the same way.
Maybe I'll remove it in future to avoid this but for now, this is not a security issue. You can test it and let me know if you can break it somehow. Then I can dig deeper (if you give me repro steps).
Please note that this package and code has been through Salesforce Security Review and was tested for all types of text. No issues were found with this.
Hello, During the company overview of security issues, we were required to export a SAST Report (Static Application Security Testing) to check and review all custom codes and install packages. The result of the SAST report requires your assistance and reference. Please provide us more details of the following actions: 1- Query: Stored XSS >> this action was raised in relation to the Survey Force app. Please guide us if we have a security issue here and what is the next step to resolve it. 2- Query: FLS Create, FLS Update, CRUD Delete >> this action was raised in relation to the Survey Force app. Please guide us if we have a security issue here and what is the next step to resolve it.
Thanks in advance for your support, Aya