Skip to Main Content
Feature Request FR-3187
Product Area Page Components
Status CLOSED

6 Voters

Server-side Validation for Dynamic Actions and Ajax Callback processes

anton nielsen Public · Jun 8 2023

Idea Summary
Dynamic Actions with Ajax calls and Ajax Callback processes are highly vulnerable to hacking. A malicious user can change the data being passed to the server and no validations can fire. With DAs that execute server side code and with Ajax Callback processes a developer has to remember to code validations in validations. With Dynamic Action plug-ins, though, it is almost impossible to validate the data going in. In all cases, it would be helpful to be able to code a server side validation prior to running any Ajax calls. This is even true for a region refresh, for example. If I have a classic report that is driven by a select list (e.g. a list of employees in my department) and a hacker injects a different employee into the select list, the region may show something it should not. Of course, I should handle that in my report region source, but having a server side validation would be another way to explicitly make sure session state is not tampered with. 

Use Case
All Ajax calls but especially for DA plug-ins where there is no other way to protect against session state manipulation.

Preferred Solution (Optional)
 

Add a server side validation attribute in the Execution section of anything that is an Ajax callback (DAs and Ajax Callback processes).

We reviewed this idea carefully, and while it was interesting, we concluded that it is unlikely to make its way into APEX in the foreseeable future.

Comments

Comments

  • carsten.czarski APEX Team OP 1.6 years ago

    Hi Anton,

    protecting AJAX calls is a valid requirement, but this actually touches different areas. For instance, your example about tampered LOV values: This actually not only impacts AJAX calls but also normal page submits (a different LOV value could be sneaked in here as well, and very often there are no additional validations on the server). Adding capability to verify a passed LOV value against the LOV definition is on our roadmap - but it would not be a “Server Side Validation” for an AJAX call, but rather some attribute on the LOV level to enable that for all use-cases.

    For other cases, your idea makes sense, of course. 

    I would also like to point out for other readers, that (validations or no validations in use) server-side code should never trust values passed from the browser. So, the PL/SQL code of an AJAX callback should always verify every value it receives from the browser.

    So, parts of this idea (LOV) will most likely be addressed differently, others need to be thought through first. However, in the near future I don't see the APEX team addressing that - it will probably take some time until we can prioritize on that. So I'll close that idea as “Not Now” - it's not lost and we keep an eye on it.

    regards

    -Carsten