function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
a!a! 

Security Issues :Open Redirect Vulnerability

public with sharing class classexample {
    public classexample() {
         c= new contact();  
         paramMap = apexpages.currentpage().getparameters();      
         list1 = new List<String>(paramMap.keySet());
         for(integer i=0;i<list1.size();i++){
              paramName = list1.get(i);
              paramValue = paramMap.get(paramName);
              if(paramName != 'returnUrl' && paramName !='core.apexpages.devmode.url'){
              c.put(paramName,paramValue);
              }         
            }   
         returnUrl = apexpages.currentpage().getparameters().get('returnUrl');  

    }

public contact c;
public string lastname{get;set;}
public string firstname{get;set;}
public string paramName{get;set;}
public string paramValue{get;set;}
public List<String> list1{get;set;}
public  map<string,string> paramMap{get;set;}
public  string returnUrl;
   
   
    public pagereference autorun() {  
           
      if(c.lastname!=null){     
       insert c;
       }
       if(returnUrl!=null){
      pagereference p = new pagereference(returnUrl);  
      return p;
      }else{
          return null;
      }

      
     
  }
  }

 Hi to all,

 

in the above class  there are two security issues.

1. returnUrl = apexpages.currentpage().getparameters().get('returnUrl'); 

 

and 

2.

pagereference p = new pagereference(returnUrl);
return p;

 

here Security issue is

"

 Open Redirect Vulnerability

An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it."

 

 

how to fix these issues, please help me, its urgent,

 

 

Thanking you inadvance.

Best Answer chosen by Admin (Salesforce Developers) 
sfdcfoxsfdcfox

You should make sure that the redirect url meets one of the following conditions:

 

1) The URL starts with "/" (%2F escaped).

2) The URL starts with System.URL.getCurrentRequestURL().

3) The URL starts with System.URL.getSalesforceBaseURL().

4) The URL is otherwise on a whitelist of allowed URLs (e.g. if you allow a redirect to Google, this might be acceptable).

 

Try taking a look at the String or Pattern classes for examples of how you might check this.

All Answers

a!a!

Thanks for your quick reponse

 

can you please send me sample code, am not understandig that topic.

 

tthank you  

 

sfdcfoxsfdcfox

You should make sure that the redirect url meets one of the following conditions:

 

1) The URL starts with "/" (%2F escaped).

2) The URL starts with System.URL.getCurrentRequestURL().

3) The URL starts with System.URL.getSalesforceBaseURL().

4) The URL is otherwise on a whitelist of allowed URLs (e.g. if you allow a redirect to Google, this might be acceptable).

 

Try taking a look at the String or Pattern classes for examples of how you might check this.

This was selected as the best answer
a!a!

Hi Sfdcfoex,

 

it works.

 

Thankyou.