GuardRails

GuardRails

  • Languages iconEnglish
    • 中文

›Apex

Overview

  • Introduction
  • What is GuardRails
  • Getting started
  • Findings
  • Vulnerabilities
  • Configuration
  • Custom Engines
  • False Positives
  • Enforce Passing Checks
  • Build Status on Pull Requests
  • FAQ
  • Pricing
  • Glossary
  • Tools & Licenses

API

  • Usage Guide
  • Endpoints

Vulnerabilities

  • Introduction
  • General

    • Overview
    • Hard-Coded Secrets

    Apex

    • Overview
    • Insecure Access Control
    • Insecure Network Communication
    • Insecure Processing of Data
    • Insecure Use of Cryptography
    • Insecure Use of Language/Framework API
    • Insecure Use of SQL Queries

    C/C++

    • Overview
    • Insecure Access Control
    • Insecure File Management
    • Insecure Processing of Data
    • Insecure Use of Cryptography
    • Insecure Use of Dangerous Function

    Dotnet

    • Overview
    • Insecure Access Control
    • Insecure Configuration
    • Insecure File Management
    • Insecure Processing of Data
    • Insecure Use of Cryptography
    • Insecure Use of Dangerous Function
    • Insecure Use of SQL Queries
    • Using Vulnerable Libraries

    Elixir

    • Overview
    • Insecure Configuration
    • Insecure File Management
    • Insecure Processing of Data
    • Insecure Network Communication
    • Insecure Use of Dangerous Function
    • Insecure Use of Language/Framework API
    • Insecure Use of SQL Queries
    • Using Vulnerable Libraries

    Go

    • Overview
    • Insecure File Management
    • Insecure Network Communication
    • Insecure Processing of Data
    • Insecure Use of Cryptography
    • Insecure Use of Dangerous Function
    • Insecure Use of SQL Queries
    • Using Vulnerable Libraries

    Java

    • Overview
    • Using Vulnerable Libraries
    • Insecure Use of SQL Queries
    • Insecure Use of Dangerous Function
    • Insecure Use of Regular Expressions
    • Insecure Authentication
    • Insecure Configuration
    • Insecure File Management
    • Insecure Use of Cryptography
    • Insecure Use of Language/Framework API
    • Insecure Processing of Data
    • Insecure Network Communication

    Javascript/TypeScript

    • Overview
    • Insecure Authentication
    • Insecure Processing of Data
    • Insecure Use of SQL Queries
    • Insecure Use of Regular Expressions
    • Insecure Use of Language/Framework API
    • Insecure Use of Dangerous Function
    • Using Vulnerable Libraries

    Kubernetes

    • Overview
    • Insecure Access Control
    • Insecure Configuration
    • Insecure Network Communication

    PHP

    • Overview
    • Insecure Configuration
    • Insecure File Management
    • Insecure Network Communication
    • Insecure Processing of Data
    • Insecure Use of Dangerous Function
    • Insecure Use of Language/Framework API
    • Insecure Use of Regular Expressions
    • Insecure Use of SQL Queries
    • Using Vulnerable Libraries

    Python

    • Overview
    • Insecure Configuration
    • Insecure Use of Cryptography
    • Insecure Network Communication
    • Insecure Processing of Data
    • Insecure Use of Dangerous Function
    • Insecure Use of SQL Queries
    • Using Vulnerable Libraries

    Ruby

    • Overview
    • Insecure Access Control
    • Insecure Configuration
    • Insecure File Management
    • Insecure Network Communication
    • Insecure Processing of Data
    • Insecure Use of Dangerous Function
    • Insecure Use of Language/Framework API
    • Insecure Use of Regular Expressions
    • Insecure Use of SQL Queries
    • Using Vulnerable Libraries

    Rust

    • Overview
    • Using Vulnerable Libraries

    Solidity

    • Overview
    • Insecure Integer Arithmetic
    • Insecure Use of Low-Level Call
    • Reliance on Insecure Random Numbers
    • State Change After External Call
    • Transaction Order Dependence
    • Unprotected Critical Function
    • Use of Insecure Function
    • Dependence on Predictable Environment Variables
    • Write to Arbitrary Storage Location
    • Call to Untrusted Contract

    Terraform

    • Overview
    • Hard-Coded Secrets
    • Insecure Access Control
    • Insecure Configuration
    • Insecure Network Communication
    • Insecure Use of Cryptography

Insecure Processing of Data

This category covers the following issues:

  • Cross-Site Scripting (XSS)
  • Open Redirect

Cross-Site Scripting (XSS)

Why is this important?

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise trusted websites. XSS attacks allow attackers to target legitimate users of a web application by sending malicious script code to them.

Check out this video for a high-level explanation:

Cross-Site Scripting

Fixing Cross-Site Scripting

Option A: Enable escaping for addError()

  1. Go through the issues that GuardRails identified in the PR.
  2. Look for patterns like this:
public without sharing class Foo {
  Trigger.new[0].addError(vulnerableHTMLGoesHere, false);
}
  1. And ensure that escaping is enabled, or that the input is safe.
public without sharing class Foo {
  Trigger.new[0].addError(vulnerableHTMLGoesHere, true);
}
  1. Test it
  2. Ship it 🚢 and relax 🌴

Option B: Perform output encoding

  1. Go through the issues that GuardRails identified in the PR.
  2. Look for patterns like this:
public without sharing class Foo {
  String unescapedstring = ApexPage.getCurrentPage().getParameters.get('url_param');
  String usedLater = unescapedstring;
}
  1. And ensure that the values are properly escaped/sanitized:
public without sharing class Foo {
  String unescapedstring = ApexPage.getCurrentPage().getParameters.get('url_param');
  String escapedstring = ESAPI.encoder().SFDC_HTMLENCODE(unescapedstring);
  String usedLater = escapedstring;
}
  1. Test it
  2. Ship it 🚢 and relax 🌴

More information:

  • Force.com - ESAPI
  • OWASP Cheat Sheet - XSS

Open Redirect

Why is this important?

Open Redirects allow attackers to redirect legitimate users to an attacker-controlled location. This is typically used to make phishing attacks more successful.

Check out this video for a high-level explanation:

Open Redirects

Fixing Open Redirects

Option A: Avoid dynamic values in redirects

  1. Go through the issues that GuardRails identified in the PR.
  2. Look for patterns like this:
public without sharing class Foo {
  String unsafeLocation = ApexPage.getCurrentPage().getParameters.get('url_param');
  PageReference page() {
    return new PageReference(unsafeLocation);
  }
}
  1. Ensure that the location is either static, or the user input is sanitized.
  2. Test it
  3. Ship it 🚢 and relax 🌴

More information

  • Common Weakness Enumeration (CWE-601)
← Insecure Network CommunicationInsecure Use of Cryptography →
  • Cross-Site Scripting (XSS)
    • Why is this important?
    • Fixing Cross-Site Scripting
    • More information:
  • Open Redirect
    • Why is this important?
    • Fixing Open Redirects
    • More information
  • Status
  • Help
  • Security
  • Terms
  • Privacy

© 2021 GuardRails