function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
Jayesh Babu A VJayesh Babu A V 

How to solve the Information Disclosure Vulnerability issue?

I used this code to call the Bee Template API inside my my Visualforce page using javascript: 
request(
    'POST',
    'https://auth.getbee.io/apiauth',
    'grant_type=password&client_id={!clientId}&client_secret={!clientSecret}',
    'application/x-www-form-urlencoded',
    function (token)
And when I submitted this package for security review, I got the Stored XSS security issue. So, changed the code to this: 
request(
    'POST',
    'https://auth.getbee.io/apiauth',
    'grant_type=password&client_id={!JSENCODE(clientId)}&client_secret={!JSENCODE(clientSecret)}',
    'application/x-www-form-urlencoded',
    function (token)
But, now I got the Information Disclosure Vulnerability issue. This is the statement I got along with the issue: 
Secrets should not be passed in the URL, JSENCODE is not sufficient to hide the secret.
So, how can I solve this?


 
AnudeepAnudeep (Salesforce Developers) 
The security review is identifying this as a Sensitive Info in URL - Long term secrets like username/passwords, API tokens, and long lasting access tokens should not be sent via GET parameters in the query string. It is fine to send short lived tokens like CSRF tokens in the URL. Salesforce session id or any PII data should not be sent over URL to external applications as per the documentation

There are multiple ways to protect sensitive data within Force.com, depending on the type of secret being stored, who should have access, and how the secret should be updated.
  • Protected Custom Metadata Types
  • Protected Custom Settings
  • Apex Crypto Functions
  • Encrypted Custom Fields
  • Named Credentials
Jayesh Babu A VJayesh Babu A V
So, this issue is about storing the 'clientId' and 'clientSecret', not about using those varables in the visualforce page, right?
AnudeepAnudeep (Salesforce Developers) 
hey Jayesh - Yes that is correct

If you find the information I shared above helpful, please mark the answer as Best. It may help others in the community