Xml injection vulnerability in SObject

[aaron-henselin]

Strings are not XmlEncoded when an SObject is encoded. This leads to "records not processed" exceptions when fields contain xml characters.

This should be considered a security issue as tag injection & mass assignment is possible as a result. Proof of concept attack available on request.

[PaulDMendoza]

Oh, I'm so glad you reported this. I have been encountering this error so I guess I need to sanitize my fields.

Salesforce.Common.ForceException: Records not processed
   at Salesforce.Common.XmlHttpClient.HttpGetAsync[T](Uri uri)
   at Salesforce.Common.XmlHttpClient.HttpGetAsync[T](String urlSuffix)
   at Salesforce.Force.ForceClient.GetBatchResultAsync(String batchId, String jobId)
   at Salesforce.Force.ForceClient.GetBatchResultAsync(BatchInfoResult batchInfo)
   at Salesforce.Force.ForceClient.RunJobAndPollAsync[T](String objectName, String externalIdFieldName, OperationType operationType, IEnumerable`1 recordsLists)
   at DragnetTech.EventProcessors.SalesForce.SFDCApi.RunJobAndPollAsync(String recordtype, String externalIdFieldName, OperationType operationType, List`1 batchList) in C:\BuildAgent\work\cd2eb89e93c72895\Functions\DragnetTech.EventProcessors\SalesForce\SFDCApi.cs:line 80

[aaron-henselin]

If you're OK with creating your own version of 'SObject', here is the associated PR:

https://github.com/wadewegner/Force.com-Toolkit-for-NET/pull/387/files