[feature] SC-166737/improve app proxy security by restricting where token replacements can go#89
Conversation
…oken replacements can go
|
Build for commit 93e4bb0 deployed to: https://salesforce-pr-89.ci.next.deskprodemo.com URLs: |
There was a problem hiding this comment.
Pull Request Overview
This pull request attempts to enhance the security of the Salesforce proxy configuration by replacing a wildcard URL pattern with a specific placeholder and introducing automatic credential injection via settingsInjection. The goal is to restrict proxy requests to only the configured Salesforce instance rather than allowing any Salesforce subdomain. However, the implementation has critical bugs that will prevent the proxy from functioning correctly.
Key intended changes:
- Replace wildcard
(.*).salesforce.compattern with__salesforce_instance_url__placeholder for tighter security - Add
settingsInjectionto automatically inject credentials into request bodies - Improve credential management by centralizing injection in the manifest configuration
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "settingsInjection": { | ||
| "client_key": { | ||
| "body": ["client_id"] | ||
| }, | ||
| "client_secret": { | ||
| "body": ["client_secret"] | ||
| }, | ||
| "global_access_token": { | ||
| "body": ["refresh_token"] | ||
| } | ||
| } |
There was a problem hiding this comment.
The settingsInjection configuration appears to inject credentials into the request body for all requests to Salesforce services. However, examining src/api/api.ts lines 350-362, the OAuth token refresh logic already manually constructs a URL-encoded body with these credentials using placeholder syntax:
body: `grant_type=refresh_token&client_id=__client_key__&client_secret=__client_secret__&refresh_token=__global_access_token.json("[refreshToken]")__`
This creates a conflict where:
- The refresh token endpoint expects
application/x-www-form-urlencodedcontent (line 355) - Most other API calls use
application/jsoncontent (line 329) - The
settingsInjectionwill inject into the body as JSON fields for all requests
This means regular API calls will have unnecessary credentials injected into their JSON bodies, and the OAuth refresh endpoint may receive duplicate or incorrectly formatted credentials. Consider restricting settingsInjection to specific endpoints or removing it if the manual placeholder approach in the code is the intended mechanism.
| "settingsInjection": { | |
| "client_key": { | |
| "body": ["client_id"] | |
| }, | |
| "client_secret": { | |
| "body": ["client_secret"] | |
| }, | |
| "global_access_token": { | |
| "body": ["refresh_token"] | |
| } | |
| } | |
| // Removed settingsInjection to prevent credentials from being injected into all requests |
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
1 participant
This pull request updates the Salesforce proxy configuration in the
manifest.jsonfile to improve security and flexibility when connecting to Salesforce services. The main change is the replacement of the wildcard URL pattern with a placeholder, and the addition of a mechanism to inject sensitive credentials from settings into request bodies.Proxy configuration enhancements:
__salesforce_instance_url__placeholder for improved explicitness and control.settingsInjectionsection to automatically injectclient_key,client_secret, andglobal_access_tokenfrom settings into the request body asclient_id,client_secret, andrefresh_tokenrespectively, enhancing credential management and security.