This is a security issue I'm trying to figure out. Everything works fine and I can get users authenticated to Twitter from inside my managed package destined for the AppExchange. The problem is that the Twitter OAuth 1.0 process (or "dance") has communication steps that occur with GETs coming from Twitter back into my application. Although this works, it's a red flag for the security review process according to security test passes online and now with CxViewer in Eclipse.
But I need to get this information from Twitter and store it somehow for each user. A sample code entry point with this issue, where Twitter is calling back from one of my auth_token requests, would be:
Page:
<apex:page controller="AuthController" action="{!completeAuthorization}"/>
Apex:
public PageReference completeAuthorization()
{
String token = ApexPages.currentPage().getParameters().get('oauth_token');
CustomObject__c c = new CustomObject__c(Name = token);
insert c; // <--- Security flaw here! (except that it's Twitter, not Trojan.com)
}
I've read all the supplied Apex documentation on the subject, read it again, looked through the forums and unfortunately came up with zilch/nada. Any assistance would be greatly appreciated!
Here's what I discovered. The issue relates to having the GET parameter dictate anything about the object selected in Salesforce and then saving data to that object. I don't believe there was ever a real security issue and with my new code the security test passes with no problem. What was happening is essentially this:
String token = ApexPages.currentPage().getParameters().get('oauth_token');
CustomObject__c pcs = [
SELECT Id, User__c, Token__c
FROM CustomObject__c
WHERE Id = :UserInfo.getUserId()
AND Token__c = :EncodingUtil.urlEncode(token, 'UTF-8'];
Since this whole exchange begins from my context, where I'm 100% certain of the current user (UserInfo.getUserId()), I don't need to check whether this particular token matches since the user is guaranteed (at least as it relates to me initiating this process). So the following select works fine:
CustomObject__c pcs = [
SELECT Id, User__c, Token__c
FROM CustomObject__c
WHERE Id = :UserInfo.getUserId()];
Then later if I do an update to this object:
update pcs;
it doesn't complain since the GET value passed in doesn't have any connection with the object chosen for the write. As you might notice, however, there never really was a problem - as long as I included
WHERE Id = :UserInfo.getUserId()
to the SOQL statement. The reason is that no matter what false tokens an attack tried to inject into my code, it was still verifying against the current user and would fail in any case if the user didn't match. But in Salesforce there's no possible way to have two simultaneous users logged in at the same time, like most systems, so the token check was overkill from the start, since I'm never sharing my User Ids with Twitter.
The actual tokens that need to be stored (oauth_token and oauth_secret) can be retrieved as POST parameters and therefore have built-in Salesforce CSRF protection. These are retrieved like this:
Http h = new Http();
HttpRequest req = new HttpRequest();
req.setMethod('POST');
req.setEndpoint(accessTokenURL);
req.setBody('');
sign(req);
HttpResponse res = new HttpResponse();
String resParams = res.getBody();
Map<String,String> rp = new Map<String,String>();
if(resParams != null)
{
for(String s : resParams.split('&'))
{
List<String> kv = s.split('=');
rp.put(kv[0],kv[1]);
}
}
tK.Secret__c = rp.get('oauth_token_secret');
tK.Token__c = rp.get('oauth_token');
upsert tK; // No problem, it's from a POST body
And I was about to POST a bounty ;)