generic.visualforce.security.ncino.xml.cspheaderattribute.csp-header-attribute

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Visualforce Pages must have the cspHeader attribute set to true. This attribute is available in API version 55 or higher.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: csp-header-attribute
    languages:
      - generic
    severity: INFO
    message: Visualforce Pages must have the cspHeader attribute set to true. This
      attribute is available in API version 55 or higher.
    metadata:
      cwe:
        - "CWE-79: Improper Neutralization of Input During Web Page Generation
          ('Cross-site Scripting')"
      owasp:
        - A07:2017 - Cross-Site Scripting (XSS)
        - A03:2021 - Injection
      references:
        - https://help.salesforce.com/s/articleView?id=sf.csp_trusted_sites.htm&type=5
      category: security
      subcategory:
        - vuln
      technology:
        - salesforce
        - visualforce
      cwe2022-top25: true
      cwe2021-top25: true
      likelihood: HIGH
      impact: MEDIUM
      confidence: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cross-Site-Scripting (XSS)
    patterns:
      - pattern: <apex:page...>...</apex:page>
      - pattern-not: <apex:page...cspHeader="true"...>...</apex:page>
      - pattern-not: <apex:page...>...<!--deprecated-->...</apex:page>
      - pattern-not: <apex:page...>...<!-- deprecated -->...</apex:page>
    paths:
      include:
        - "*.page"

Examples

CSPHeaderAttribute.page

<!-- ruleid: csp-header-attribute -->
<apex:page docType="html-5.0" sidebar="false" standardController="Account" extensions="DefaultAppController, TemplateController">
    <apex:slds />
    <nFORCE:Include_SLDS_A11y_Overrides />
</apex:page>

<!-- ruleid: csp-header-attribute -->
<apex:page>
</apex:page>

<!-- ruleid: csp-header-attribute -->
<apex:page docType="html-5.0" sidebar="false" controller="AdministrationController" cspHeader="false">
    <apex:composition template="Template_Base">
        <apex:define name="topbar">
            <apex:include pageName="{!IF(isNull(route.Topbar__c),'nFORCE__InvalidRouteConfiguration',route.Topbar__c)}" />
        </apex:define>
        <apex:define name="navigation">
            <apex:include pageName="{!IF(isNull(route.Navigation__c),'nFORCE__InvalidRouteConfiguration',route.Navigation__c)}" />
        </apex:define>
        <apex:define name="subNavigation">
            <apex:include pageName="{!IF(isNull(route.Sub_Navigation__c),'nFORCE__InvalidRouteConfiguration',route.Sub_Navigation__c)}"
            />
        </apex:define>
        <apex:define name="body">
            <apex:include pageName="{!IF(isNull(route.Body__c),'nFORCE__InvalidRouteConfiguration',route.Body__c)}" />
        </apex:define>
    </apex:composition>

</apex:page>

<!-- ok: csp-header-attribute -->
<apex:page docType="html-5.0" cspHeader="true">
    <c:ManagePermissionSets />
</apex:page>

<!-- ok: csp-header-attribute -->
<apex:page>
<!--deprecated-->
</apex:page>

<!-- ok: csp-header-attribute -->
<apex:page>
	<!--deprecated-->
</apex:page>

<!-- ok: csp-header-attribute -->
<apex:page>
<!-- deprecated -->
</apex:page>

<!-- ok: csp-header-attribute -->
<apex:page>
	<!-- deprecated -->
</apex:page>