search

wadewegner / Force.com-Toolkit-for-NET

The Force.com Toolkits for .NET provides an easy way for .NET developers to interact with the Force.com & Chatter REST APIs using native libraries.
BSD 3-Clause "New" or "Revised" License
374 stars 396 forks source link

Xml injection vulnerability in SObject #386

Open aaron-henselin opened 4 years ago

aaron-henselin commented 4 years ago

Strings are not XmlEncoded when an SObject is encoded. This leads to "records not processed" exceptions when fields contain xml characters.

This should be considered a security issue as tag injection & mass assignment is possible as a result. Proof of concept attack available on request.

PaulDMendoza commented 4 years ago

Oh, I'm so glad you reported this. I have been encountering this error so I guess I need to sanitize my fields. 

Salesforce.Common.ForceException: Records not processed
   at Salesforce.Common.XmlHttpClient.HttpGetAsync[T](Uri uri)
   at Salesforce.Common.XmlHttpClient.HttpGetAsync[T](String urlSuffix)
   at Salesforce.Force.ForceClient.GetBatchResultAsync(String batchId, String jobId)
   at Salesforce.Force.ForceClient.GetBatchResultAsync(BatchInfoResult batchInfo)
   at Salesforce.Force.ForceClient.RunJobAndPollAsync[T](String objectName, String externalIdFieldName, OperationType operationType, IEnumerable`1 recordsLists)
   at DragnetTech.EventProcessors.SalesForce.SFDCApi.RunJobAndPollAsync(String recordtype, String externalIdFieldName, OperationType operationType, List`1 batchList) in C:\BuildAgent\work\cd2eb89e93c72895\Functions\DragnetTech.EventProcessors\SalesForce\SFDCApi.cs:line 80
aaron-henselin commented 4 years ago

If you're OK with creating your own version of 'SObject', here is the associated PR:

https://github.com/wadewegner/Force.com-Toolkit-for-NET/pull/387/files