Possible Server-Side Request Forgery vulnerability

[Chris-Paul3625]

flow_action_components/CloneAndTweak/force-app/main/default/classes/GetFlowMetadata.cls, line 83
Unsanitized input from a SOQL statement flows into setendpoint, where it is used as an URL to perform a request. This may result in a Server-Side Request Forgery vulnerability.

[ericrsmith35]

@Chris-Paul3625 Do you have a suggested solution?

[Chris-Paul3625]

Hello Eric,
This vulnerability came on our scan of the package. While I am not a dev a few things that could resolve this would be to
Ensure that any user-provided input is validated and sanitized before being used in the setEndpoint method. Define a strict whitelist of allowed URLs or patterns that are acceptable for your application. For example:

Use regular expressions to allow only specific domain names.
Restrict input to a list of predefined endpoints.

Additionally our system offered up the following:

Named Credentials: Use Salesforce Named Credentials to manage external endpoint configuration. Named Credentials abstract the endpoint and authentication, reducing the risk of SSRF.