Security Audit

Since we're dealing with potentially sensitive (and potentially legally protected) information, we should put this module through the wringer w.r.t security. There are a couple issues posted already about some potential security holes - #782308: exposing salesforce username, password, and token in variables table is a security risk, #782314: WSDL in web accessible path is a security risk. What about incoming transaction forgeries? API Sessions? XSS opportunities? Countless other potential holes?

Comments

Comment #1

he/him

commented 19 May 2010 at 13:57

adding
#477182: Encrypt API password and token

Log in or register to post comments

kostajh’s picture

Comment #2

kostajh commented 1 February 2011 at 15:32

Coder did not find anything when running the module through its security check.

#500052: Allow salesforce to initiate imports included restricting access for sf_notifications by IP.

I would say that when #477182: Encrypt API password and token is in, we could close this ticket and open issues as they arise.

Log in or register to post comments

Comment #3

EvanDonovan commented 3 February 2011 at 15:58

It's in now; thanks Aaron!

I agree with kostajh.

Log in or register to post comments

Comment #4

he/him

commented 3 February 2011 at 19:13

Status:

Active

» Fixed

awesome

Log in or register to post comments

Comment #5

17 February 2011 at 19:20

Status:

Fixed

» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

Log in or register to post comments