Prerequisites
- An authentication method that uses pre-configured tokens or secret values (for example, OAuth 2)
- User is able to input a domain or subdomain when authenticating within Zapier
- Your integration stores sensitive authentication details (in environment variables, for example) which are used as part of the authentication process
Steps
- If your integration allows for the user to provide a domain, validate the input against an allow-list of trusted domains.
- If your integration allows for the user to provide a subdomain, add conditional validation for the subdomain string whenever you include the value in your OAuth HTTP requests. This change will prevent potential exploitation of the subdomain vulnerability.
Handle subdomain validation in Platform UI
- Update the Access Token Request and related sections under the OAuth v2 Endpoint Configuration options, using the Code Mode editor.
- Example code for handling subdomain validation in integrations built using the Platform UI, via Code Mode:
Handle subdomain validation in Platform CLI
- If you’re using OAuth-based authentications, update the
getAccessToken
and optionalrefreshAccessToken
configuration methods. If the integration uses shorthand HTTP requests, switching to manual HTTP requests will allow you to perform this manual subdomain validation. - Example code for handling subdomain validation in integrations built using the Platform CLI:
Need help? Tell us about your problem and we’ll connect you with the right resource or contact support.