Is a component only launched from a quick action safe from CSRF?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;







up vote
2
down vote

favorite












I've got a component that is launched from a quick action and on init preforms some DML and redirects the user. It only implements these three interfaces and is not referenced anywhere else in the application: force:LightningQuickAction, force:hasRecordId, force:hasSObjectName



Would I be able to document this as a false positive for CSRF with the justification that this component does not have a URL?






lightning-components lightning security-review csrf







share|improve this question























  • Would it be possible to explain a little more on nature of the quick action and why is the dml needed?
    – codeyinthecloud
    1 hour ago










  • The resource that the user is redirected to expects a record to exist in the database. So this component creates the record and redirects to that resource. It's a bad design but if it safe then I'd rather not spend the time fixing it right now. Thanks for the help!
    – bafuda
    18 mins ago










  • Before inserting if you can confirm with user it wnt be breaking CSRF then.
    – Pranay Jaiswal
    15 mins ago










  • honestly Successfully performing a CSRF attack is not trivial. It requires the targeted user to visit the attack page while authenticated with the targeted service, which often requires coordinated deception on the part of the attacker (this is mostly commonly seen in phishing campaigns). Just show a confirmation before redirecting can help for now! more here
    – codeyinthecloud
    14 mins ago
















up vote
2
down vote

favorite












I've got a component that is launched from a quick action and on init preforms some DML and redirects the user. It only implements these three interfaces and is not referenced anywhere else in the application: force:LightningQuickAction, force:hasRecordId, force:hasSObjectName



Would I be able to document this as a false positive for CSRF with the justification that this component does not have a URL?






lightning-components lightning security-review csrf







share|improve this question























  • Would it be possible to explain a little more on nature of the quick action and why is the dml needed?
    – codeyinthecloud
    1 hour ago










  • The resource that the user is redirected to expects a record to exist in the database. So this component creates the record and redirects to that resource. It's a bad design but if it safe then I'd rather not spend the time fixing it right now. Thanks for the help!
    – bafuda
    18 mins ago










  • Before inserting if you can confirm with user it wnt be breaking CSRF then.
    – Pranay Jaiswal
    15 mins ago










  • honestly Successfully performing a CSRF attack is not trivial. It requires the targeted user to visit the attack page while authenticated with the targeted service, which often requires coordinated deception on the part of the attacker (this is mostly commonly seen in phishing campaigns). Just show a confirmation before redirecting can help for now! more here
    – codeyinthecloud
    14 mins ago












up vote
2
down vote

favorite









up vote
2
down vote

favorite











I've got a component that is launched from a quick action and on init preforms some DML and redirects the user. It only implements these three interfaces and is not referenced anywhere else in the application: force:LightningQuickAction, force:hasRecordId, force:hasSObjectName



Would I be able to document this as a false positive for CSRF with the justification that this component does not have a URL?






lightning-components lightning security-review csrf







share|improve this question















I've got a component that is launched from a quick action and on init preforms some DML and redirects the user. It only implements these three interfaces and is not referenced anywhere else in the application: force:LightningQuickAction, force:hasRecordId, force:hasSObjectName



Would I be able to document this as a false positive for CSRF with the justification that this component does not have a URL?






lightning-components lightning security-review csrf




lightning-components lightning security-review csrf






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 40 mins ago









codeyinthecloud

1,556217




1,556217










asked 1 hour ago









bafuda

468414




468414











  • Would it be possible to explain a little more on nature of the quick action and why is the dml needed?
    – codeyinthecloud
    1 hour ago










  • The resource that the user is redirected to expects a record to exist in the database. So this component creates the record and redirects to that resource. It's a bad design but if it safe then I'd rather not spend the time fixing it right now. Thanks for the help!
    – bafuda
    18 mins ago










  • Before inserting if you can confirm with user it wnt be breaking CSRF then.
    – Pranay Jaiswal
    15 mins ago










  • honestly Successfully performing a CSRF attack is not trivial. It requires the targeted user to visit the attack page while authenticated with the targeted service, which often requires coordinated deception on the part of the attacker (this is mostly commonly seen in phishing campaigns). Just show a confirmation before redirecting can help for now! more here
    – codeyinthecloud
    14 mins ago
















  • Would it be possible to explain a little more on nature of the quick action and why is the dml needed?
    – codeyinthecloud
    1 hour ago










  • The resource that the user is redirected to expects a record to exist in the database. So this component creates the record and redirects to that resource. It's a bad design but if it safe then I'd rather not spend the time fixing it right now. Thanks for the help!
    – bafuda
    18 mins ago










  • Before inserting if you can confirm with user it wnt be breaking CSRF then.
    – Pranay Jaiswal
    15 mins ago










  • honestly Successfully performing a CSRF attack is not trivial. It requires the targeted user to visit the attack page while authenticated with the targeted service, which often requires coordinated deception on the part of the attacker (this is mostly commonly seen in phishing campaigns). Just show a confirmation before redirecting can help for now! more here
    – codeyinthecloud
    14 mins ago















Would it be possible to explain a little more on nature of the quick action and why is the dml needed?
– codeyinthecloud
1 hour ago




Would it be possible to explain a little more on nature of the quick action and why is the dml needed?
– codeyinthecloud
1 hour ago












The resource that the user is redirected to expects a record to exist in the database. So this component creates the record and redirects to that resource. It's a bad design but if it safe then I'd rather not spend the time fixing it right now. Thanks for the help!
– bafuda
18 mins ago




The resource that the user is redirected to expects a record to exist in the database. So this component creates the record and redirects to that resource. It's a bad design but if it safe then I'd rather not spend the time fixing it right now. Thanks for the help!
– bafuda
18 mins ago












Before inserting if you can confirm with user it wnt be breaking CSRF then.
– Pranay Jaiswal
15 mins ago




Before inserting if you can confirm with user it wnt be breaking CSRF then.
– Pranay Jaiswal
15 mins ago












honestly Successfully performing a CSRF attack is not trivial. It requires the targeted user to visit the attack page while authenticated with the targeted service, which often requires coordinated deception on the part of the attacker (this is mostly commonly seen in phishing campaigns). Just show a confirmation before redirecting can help for now! more here
– codeyinthecloud
14 mins ago




honestly Successfully performing a CSRF attack is not trivial. It requires the targeted user to visit the attack page while authenticated with the targeted service, which often requires coordinated deception on the part of the attacker (this is mostly commonly seen in phishing campaigns). Just show a confirmation before redirecting can help for now! more here
– codeyinthecloud
14 mins ago










2 Answers
2






active

oldest

votes

















up vote
2
down vote



accepted










YES and NO, It can be little tricky! Even though the dml is happening on component load but which is still a click by a human intervention(because its a quick action) this would be a hard one to determine.



CSRF : In order to prevent CSRF attacks, do not invoke any server-side controller method that performs a DML operation automatically as the result of a page load. Specifically, do not invoke server-side DML controller method as onInit handlers, or afterRender handlers (if rendering is performed automatically on page load).



(
 doInit: function(cmp) 
 var action = cmp.get("c.updateField"); //vulnerable to CSRF
 [...]
 $A.enqueueAction(action);
 ,
 handleClick: function(cmp, event) 
 var action = cmp.get("c.updateField"); //not vulnerable to CSRF
 [...]
 $A.enqueueAction(action);
 
)


The key is that the DML operation not be performed without an event stemming from human interaction, such as a click. CSRF only applies to server-side DML operations, not operations that update client-side component attributes.



Developers should be cautious about writing pages that take action based upon a user-supplied parameter like the id variable in the preceding example. A possible work-around is to insert an intermediate confirmation page before taking the action, to make sure the user intended to call the page. Other suggestions include shortening the idle session timeout for the organization and educating users to log out of their active session and not use their browser to visit other sites while authenticated






share|improve this answer





























    up vote
    1
    down vote













    Adding few pointers to what codeyInTheCloud has said.



    It's a good practice to not do DML in onLoad of page in VF and init method of lightning, but if there is a strong business use case and there is no way out then it is acceptable.



    eg: You have to audit when a record is opened by a user, and how many times, then, in that case, we use a VF page or lightning component and do a dml on page load. There is always a risk with this but can be still mitigated if certain things are followed.



    1. Avoid Dynamic SOQL in Apex controller (https://developer.salesforce.com/docs/atlas.en-us.pages.meta/pages/pages_security_tips_soql_injection.htm) , if needed atleast sanitize the input received


    2. If doing delete or update of critical data, always ask for confirmation from end user, using modal or page messages.


    Following these practices and giving a proper explanation to security team, you can get the app reviewed without hassels.






    share|improve this answer




















      Your Answer








      StackExchange.ready(function()
      var channelOptions =
      tags: "".split(" "),
      id: "459"
      ;
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function()
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled)
      StackExchange.using("snippets", function()
      createEditor();
      );

      else
      createEditor();

      );

      function createEditor()
      StackExchange.prepareEditor(
      heartbeatType: 'answer',
      convertImagesToLinks: false,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      imageUploader:
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      ,
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      );



      );













       

      draft saved


      draft discarded


















      StackExchange.ready(
      function ()
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsalesforce.stackexchange.com%2fquestions%2f237935%2fis-a-component-only-launched-from-a-quick-action-safe-from-csrf%23new-answer', 'question_page');

      );

      Post as a guest

















      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes








      up vote
      2
      down vote



      accepted










      YES and NO, It can be little tricky! Even though the dml is happening on component load but which is still a click by a human intervention(because its a quick action) this would be a hard one to determine.



      CSRF : In order to prevent CSRF attacks, do not invoke any server-side controller method that performs a DML operation automatically as the result of a page load. Specifically, do not invoke server-side DML controller method as onInit handlers, or afterRender handlers (if rendering is performed automatically on page load).



      (
       doInit: function(cmp) 
       var action = cmp.get("c.updateField"); //vulnerable to CSRF
       [...]
       $A.enqueueAction(action);
       ,
       handleClick: function(cmp, event) 
       var action = cmp.get("c.updateField"); //not vulnerable to CSRF
       [...]
       $A.enqueueAction(action);
       
      )


      The key is that the DML operation not be performed without an event stemming from human interaction, such as a click. CSRF only applies to server-side DML operations, not operations that update client-side component attributes.



      Developers should be cautious about writing pages that take action based upon a user-supplied parameter like the id variable in the preceding example. A possible work-around is to insert an intermediate confirmation page before taking the action, to make sure the user intended to call the page. Other suggestions include shortening the idle session timeout for the organization and educating users to log out of their active session and not use their browser to visit other sites while authenticated






      share|improve this answer


























        up vote
        2
        down vote



        accepted










        YES and NO, It can be little tricky! Even though the dml is happening on component load but which is still a click by a human intervention(because its a quick action) this would be a hard one to determine.



        CSRF : In order to prevent CSRF attacks, do not invoke any server-side controller method that performs a DML operation automatically as the result of a page load. Specifically, do not invoke server-side DML controller method as onInit handlers, or afterRender handlers (if rendering is performed automatically on page load).



        (
         doInit: function(cmp) 
         var action = cmp.get("c.updateField"); //vulnerable to CSRF
         [...]
         $A.enqueueAction(action);
         ,
         handleClick: function(cmp, event) 
         var action = cmp.get("c.updateField"); //not vulnerable to CSRF
         [...]
         $A.enqueueAction(action);
         
        )


        The key is that the DML operation not be performed without an event stemming from human interaction, such as a click. CSRF only applies to server-side DML operations, not operations that update client-side component attributes.



        Developers should be cautious about writing pages that take action based upon a user-supplied parameter like the id variable in the preceding example. A possible work-around is to insert an intermediate confirmation page before taking the action, to make sure the user intended to call the page. Other suggestions include shortening the idle session timeout for the organization and educating users to log out of their active session and not use their browser to visit other sites while authenticated






        share|improve this answer
























          up vote
          2
          down vote



          accepted







          up vote
          2
          down vote



          accepted






          YES and NO, It can be little tricky! Even though the dml is happening on component load but which is still a click by a human intervention(because its a quick action) this would be a hard one to determine.



          CSRF : In order to prevent CSRF attacks, do not invoke any server-side controller method that performs a DML operation automatically as the result of a page load. Specifically, do not invoke server-side DML controller method as onInit handlers, or afterRender handlers (if rendering is performed automatically on page load).



          (
           doInit: function(cmp) 
           var action = cmp.get("c.updateField"); //vulnerable to CSRF
           [...]
           $A.enqueueAction(action);
           ,
           handleClick: function(cmp, event) 
           var action = cmp.get("c.updateField"); //not vulnerable to CSRF
           [...]
           $A.enqueueAction(action);
           
          )


          The key is that the DML operation not be performed without an event stemming from human interaction, such as a click. CSRF only applies to server-side DML operations, not operations that update client-side component attributes.



          Developers should be cautious about writing pages that take action based upon a user-supplied parameter like the id variable in the preceding example. A possible work-around is to insert an intermediate confirmation page before taking the action, to make sure the user intended to call the page. Other suggestions include shortening the idle session timeout for the organization and educating users to log out of their active session and not use their browser to visit other sites while authenticated






          share|improve this answer














          YES and NO, It can be little tricky! Even though the dml is happening on component load but which is still a click by a human intervention(because its a quick action) this would be a hard one to determine.



          CSRF : In order to prevent CSRF attacks, do not invoke any server-side controller method that performs a DML operation automatically as the result of a page load. Specifically, do not invoke server-side DML controller method as onInit handlers, or afterRender handlers (if rendering is performed automatically on page load).



          (
           doInit: function(cmp) 
           var action = cmp.get("c.updateField"); //vulnerable to CSRF
           [...]
           $A.enqueueAction(action);
           ,
           handleClick: function(cmp, event) 
           var action = cmp.get("c.updateField"); //not vulnerable to CSRF
           [...]
           $A.enqueueAction(action);
           
          )


          The key is that the DML operation not be performed without an event stemming from human interaction, such as a click. CSRF only applies to server-side DML operations, not operations that update client-side component attributes.



          Developers should be cautious about writing pages that take action based upon a user-supplied parameter like the id variable in the preceding example. A possible work-around is to insert an intermediate confirmation page before taking the action, to make sure the user intended to call the page. Other suggestions include shortening the idle session timeout for the organization and educating users to log out of their active session and not use their browser to visit other sites while authenticated







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited 59 mins ago

























          answered 1 hour ago









          codeyinthecloud

          1,556217




          1,556217






















              up vote
              1
              down vote













              Adding few pointers to what codeyInTheCloud has said.



              It's a good practice to not do DML in onLoad of page in VF and init method of lightning, but if there is a strong business use case and there is no way out then it is acceptable.



              eg: You have to audit when a record is opened by a user, and how many times, then, in that case, we use a VF page or lightning component and do a dml on page load. There is always a risk with this but can be still mitigated if certain things are followed.



              1. Avoid Dynamic SOQL in Apex controller (https://developer.salesforce.com/docs/atlas.en-us.pages.meta/pages/pages_security_tips_soql_injection.htm) , if needed atleast sanitize the input received


              2. If doing delete or update of critical data, always ask for confirmation from end user, using modal or page messages.


              Following these practices and giving a proper explanation to security team, you can get the app reviewed without hassels.






              share|improve this answer
























                up vote
                1
                down vote













                Adding few pointers to what codeyInTheCloud has said.



                It's a good practice to not do DML in onLoad of page in VF and init method of lightning, but if there is a strong business use case and there is no way out then it is acceptable.



                eg: You have to audit when a record is opened by a user, and how many times, then, in that case, we use a VF page or lightning component and do a dml on page load. There is always a risk with this but can be still mitigated if certain things are followed.



                1. Avoid Dynamic SOQL in Apex controller (https://developer.salesforce.com/docs/atlas.en-us.pages.meta/pages/pages_security_tips_soql_injection.htm) , if needed atleast sanitize the input received


                2. If doing delete or update of critical data, always ask for confirmation from end user, using modal or page messages.


                Following these practices and giving a proper explanation to security team, you can get the app reviewed without hassels.






                share|improve this answer






















                  up vote
                  1
                  down vote










                  up vote
                  1
                  down vote









                  Adding few pointers to what codeyInTheCloud has said.



                  It's a good practice to not do DML in onLoad of page in VF and init method of lightning, but if there is a strong business use case and there is no way out then it is acceptable.



                  eg: You have to audit when a record is opened by a user, and how many times, then, in that case, we use a VF page or lightning component and do a dml on page load. There is always a risk with this but can be still mitigated if certain things are followed.



                  1. Avoid Dynamic SOQL in Apex controller (https://developer.salesforce.com/docs/atlas.en-us.pages.meta/pages/pages_security_tips_soql_injection.htm) , if needed atleast sanitize the input received


                  2. If doing delete or update of critical data, always ask for confirmation from end user, using modal or page messages.


                  Following these practices and giving a proper explanation to security team, you can get the app reviewed without hassels.






                  share|improve this answer












                  Adding few pointers to what codeyInTheCloud has said.



                  It's a good practice to not do DML in onLoad of page in VF and init method of lightning, but if there is a strong business use case and there is no way out then it is acceptable.



                  eg: You have to audit when a record is opened by a user, and how many times, then, in that case, we use a VF page or lightning component and do a dml on page load. There is always a risk with this but can be still mitigated if certain things are followed.



                  1. Avoid Dynamic SOQL in Apex controller (https://developer.salesforce.com/docs/atlas.en-us.pages.meta/pages/pages_security_tips_soql_injection.htm) , if needed atleast sanitize the input received


                  2. If doing delete or update of critical data, always ask for confirmation from end user, using modal or page messages.


                  Following these practices and giving a proper explanation to security team, you can get the app reviewed without hassels.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered 40 mins ago









                  Pranay Jaiswal

                  10k31949




                  10k31949



























                       

                      draft saved


                      draft discarded















































                       


                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function ()
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsalesforce.stackexchange.com%2fquestions%2f237935%2fis-a-component-only-launched-from-a-quick-action-safe-from-csrf%23new-answer', 'question_page');

                      );

                      Post as a guest
































































                      Comments

                      Post a Comment

                      Popular posts from this blog

                      Long meetings (6-7 hours a day): Being “babysat” by supervisor

                      Image
                      Clash Royale CLAN TAG #URR8PPP .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0; up vote 31 down vote favorite 4 I hold a PhD in mechanical engineering with a 7 year background in self-guided, self-paced research including 2 years as a graduate level course instructor and a subject matter expert for various engineering projects in a university setting in the United States. For the last 10-11 months, I am working in a research industry in France where my task is to debug C++ spaghetti code written over a period of several years by my current supervisor. It is a team of 2: just I and my supervisor. Diurnally, I am posed with a "bug of the day" to get out of this C++ code. My supervisor generally gives me about 15-30 minutes to solve it and then accosts me about whether or not the task is completed and then rinses and repeats this until the end of the day. Off-late, my supervisor has been holding 6-7 hour long "meetin
                      Read more

                      Is the Concept of Multiple Fantasy Races Scientifically Flawed? [closed]

                      Image
                      Clash Royale CLAN TAG #URR8PPP up vote 2 down vote favorite Many fantasy worlds have multiple humanoid species (elves, orcs, humans, etc) living in the same world, in addition to that, they often have the ability to interbreed. And I can't help but question their believability... fantasy-races reproduction interspecies-relations share | improve this question edited Aug 9 at 14:46 Michael Kjörling ♦ 21.1k 10 85 161 asked Aug 9 at 13:13 Chlodio 118 6 closed as unclear what you're asking by MichaelK, Gryphon, John, Vincent, Frostfyre Aug 9 at 15:25 Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question. 3 Stack Exchange exist to
                      Read more

                      Confectionery

                      Image
                      Prepared foods made with a lot of sugar or other cabohydrates "Sweetmeat" redirects here. For the racehorse, see Sweetmeat (horse). Not to be confused with Sweetbread. This Kransekake is a traditional Scandinavian baker's confection. Confectionery is the art of making confections , which are food items that are rich in sugar and carbohydrates. Exact definitions are difficult. [1] In general, though, confectionery is divided into two broad and somewhat overlapping categories, bakers' confections and sugar confections. [2] Bakers' confectionery, also called flour confections , includes principally sweet pastries, cakes, and similar baked goods. Sugar confectionery includes candies ( sweets in British English), candied nuts, chocolates, chewing gum, bubble gum, pastillage, and other confections that are made primarily of sugar. In some cases, chocolate confections (confections made of chocolate) are treated as a separate category, as are sugar-free versions of
                      Read more