Salesforce - Developer - Security - ESAPI

Security

// Salesforce - Developer - Security - ESAPI:

The OWASP (Open Web Application Security Project) Enterprise Security API is a 
free, open source, web application security control library that makes it easier 
for programmers to write lower-risk applications. The ESAPI libraries are 
designed to make it easier for programmers to retrofit security into existing 
applications. The ESAPI libraries also serve as a solid foundation for new 
development. 

The Apex ESAPI was built as a part of this project. Currently, it provides 
modules for Input Validation, Output Encoding and Access Control for Force.com 
objects (CRUD/FLS and Sharing) on the Force.com platform.

The package is available for download both as a managed and unmanaged package 
version here:

1. Managed package (v0.5): http://bit.ly/2heeMUf
2. Unmanaged package (v0.5): http://bit.ly/2he9Mij

The project documentation is a great place to get started with the ESAPI:
http://bit.ly/2hBk6Os

The input validation module can be used to validate user provided data for a 
certain data format like credit card numbers. It can also be used to check 
string input values against other data types like integers, double to prevent 
such fields from being used to exploit injection vulnerabilities.

Input validation will help you get better control over the user supplied data. 
But it does not completely mitigate the risk of a user supplied value being 
used as an attack vector. 

For example:

String creditCard = ApexPages.currentPage().getParameters().get('creditcard');
try {
    creditCard = ESAPI.validator().getValidCreditCard(creditCard, false);
} catch (Exception e) {
    /*
    report error here using e.getMessage(). Make sure you escape the string before
    displaying it back on page, and also be careful not to expose any internal 
    information.
    */
}

Access Control:

This module is used to enforce the Force.com built-in access control mechanisms: 
CRUD, FLS, and Sharing. As discussed in the Authorization section, Apex classes 
execute in system context and not in the current user context. This is why the 
platform can't enforce any of the security models. These Apex functions can be 
used to enforce security models as if the apex code was operating in current 
user context.

Following is an example where we make use of ESAPI functions to enforce CRUD, 
FLS and Sharing on updating object s as current user. The parameters to the 
update function are the object to be updated and the data values to be updated 
with. 

// s is a modified SObject
try {
    ESAPI.accessController().setSharingMode(SFDCAccessController.SharingMode.WITH);
    ESAPI.accessController().updateAsUser(s, new List<String>{'data'});
} catch (SFDCAccessControlException e) {
    message = 'Access Control violation - Type: ' + e.getExceptionType() + ' Reason: ' 
        + e.getExceptionReason() + ' Object: ' + e.getExceptionObject() + ' Field: ' 
        + e.getExceptionField() + ' Text: ' + e.getText();
}

Output Encoding:

The output encoding module can be used to encode user supplied input in the 
specific context using Apex classes. This is useful for cases when you need to 
create dynamic HTML content consisting of user input. This way, you can 
specifically encode the user supplied part of input in the apex controller and 
render using unescaped Visualforce tags. These functions are used to provide the 
same functionality as the VisualForce encoding functions discussed in the Cross 
Site Scripting section. 

The main thing to understand with this would be to make sure that you use the 
correct encoding function based on the context in which the data is going to be 
rendered in the VF page.

String usertext = ApexPages.currentPage().getParameters().get('usertext');
// the next line encodes the usertext similar to the VisualForce HTMLENCODE 
// function but within an Apex class.
usertext = ESAPI.encoder().SFDC_HTMLENCODE(usertext);

ESAPI.encoder().SFDC_HTMLENCODE()

The ESAPI also contains methods for JSENCODE, JSINHTMLENCODE, input validation, 
authorization enforcement, and other tools. You can view all the methods by 
looking at the unmanaged package!
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License