From a03583b75c7bf0e83f7c9cdab5ce203b41637f02 Mon Sep 17 00:00:00 2001
From: Paul Hutchinson <paulhappyhutchinson@protonmail.ch>
Date: Tue, 18 Nov 2025 15:45:53 +0000
Subject: [PATCH 1/2] [feature] SC-166737/improve app proxy security by
 restricting where token replacements can go

---
 manifest.json | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/manifest.json b/manifest.json
index 13553cf..ab531bb 100644
--- a/manifest.json
+++ b/manifest.json
@@ -145,9 +145,20 @@
   "proxy": {
     "whitelist": [
       {
-        "url": "https://(.*).salesforce.com/services/.*",
+        "url": "https://__salesforce_instance_url__.salesforce.com/services/.*",
         "methods": ["GET", "POST", "PUT", "DELETE", "PATCH"],
-        "timeout": 30
+        "timeout": 30,
+        "settingsInjection": {
+          "client_key": {
+            "body": ["client_id"]
+          },
+          "client_secret": {
+            "body": ["client_secret"]
+          },
+          "global_access_token": {
+            "body": ["refresh_token"]
+          }
+        }
       }
     ]
   }

From 93e4bb079381965ede3753dbb0c1336d92571775 Mon Sep 17 00:00:00 2001
From: Paul <1740195+HappyPaul55@users.noreply.github.com>
Date: Wed, 19 Nov 2025 12:12:57 +0000
Subject: [PATCH 2/2] Update manifest.json

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 manifest.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/manifest.json b/manifest.json
index ab531bb..194b63d 100644
--- a/manifest.json
+++ b/manifest.json
@@ -145,7 +145,7 @@
   "proxy": {
     "whitelist": [
       {
-        "url": "https://__salesforce_instance_url__.salesforce.com/services/.*",
+        "url": "__salesforce_instance_url__/services/.*",
         "methods": ["GET", "POST", "PUT", "DELETE", "PATCH"],
         "timeout": 30,
         "settingsInjection": {