function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
BPOORBPOOR 

Open Redirect Security Issue

We are using a third party company to scan our salesforce code for SOQL Injection and Vulnerability issues with open page redirects. The below code is flagged as a vulnerability.
public Pagereference customCancel() {
Pagereference objPageref = new Pagereference('/apex/FulcrumInlineEdit?id='+OptyId);
objPageref.setRedirect(true);
return objPageref;
The page is not using any URL hacking mechanisms like saveUrl, retUrl or cancelUrl. Based on the information given in the trailhead Prevent Open Redirects in your code (https://trailhead.salesforce.com/en/content/learn/modules/secdev_application_logic_vulnerabilities/secdev_app_logic_preventing_open_redirect), I am not sure how to modify the above code to make it secure. Can someone help?
 
AbhishekAbhishek (Salesforce Developers) 
Hi,

The below blog might answer your query,

https://developer.salesforce.com/forums/?id=906F000000092MSIAY

https://salesforce.stackexchange.com/questions/42015/prevention-for-open-redirect-problem-in-salesforce

Thanks!
BPOORBPOOR
Hi Abhishek,

Thanks for your response. Based on the link you have provided, my PageReference starts with "/" and not using any returnUrl or something like that. What do I need to change in this case? If there is a returnUrl or something like, I can either use ApexPages.currrentPage.getParameters().get('returnUrl) and then I can check to see if it is starting with / or I can do use whitelisting to see if it is one of allowed domains However, in this case, we are just using /apex/FulcrumInlineEdit with OpportunityId. I am not sure how I can change this.
AbhishekAbhishek (Salesforce Developers) 
Try with the whitelisting once.
Bulent DoganBulent Dogan
May I ask which tool you are using to identify these security issues? Checmarx didn't find these issues before, that is why I'm asking.
BPOORBPOOR
We are using Veracode to scan for vulnerabilities in the code. Their algorithm appears to be very strict and I have seen instances where the code is correct as per salesforce, but veracode still flags them as vulnerable. We have to go an extra mile to satisfy veracode's scanning algorithm.