Salesforce Functions detection
Vulkro's Salesforce Functions detector pack (src/security/sf_functions.rs)
scans Node.js or Java Functions packages declared under functions/*/
in an SFDX project. Recognises a Functions package by project.toml
with a salesforce.functions table, by package.json dependencies on
@heroku/sf-fx-runtime-nodejs or @salesforce/salesforce-sdk, or by
pom.xml dependencies on salesforce-sdk / sf-fx-runtime-java.
Rules
| ID | Severity | What it catches |
|---|---|---|
| SFN-001 | High | Functions invocation context (context.accessToken, context.org.id) logged to stderr, sent over the network, or written to a file. Logging the access token effectively leaks a session credential. |
| SFN-002 | High | The runtime access token stored in a process-global / module-scoped variable, or returned from the function body. Functions are invoked many times per warm container; a globally cached token leaks across customer invocations. |
| SFN-003 | High | Inbound payload (event.data, function arg) fed directly into context.org.dataApi.update(...) / .create(...) / .delete(...) without an allowlist or schema validation. The DataApi binding gives the function full write access at the user's permission level. |
| SFN-004 | Medium | Outbound HTTP call (fetch(...), axios.*(...), RestClient.*(...)) without a rate-controlling wrapper (bottleneck, p-limit, setTimeout-based throttle). Functions hit per-org API limits aggressively when invoked in a batch context. |
| SFN-005 | Medium | Synchronous CPU-heavy loop without await, infinite-loop pattern, or unbounded recursion. The Functions runtime kills containers that exceed CPU or memory limits, but only after the budget is spent. |
Pro gate
This detector pack is part of the Pro tier. It is gated by
license::Feature::SfFunctions. The vulkro scan invocation that
encounters a functions/ tree will refuse to run the SF Functions
analyser on the Free tier and prompt for a Pro license. Native scanners
for the project's other languages still run.
Example finding
Severity: High
Rule: SFN-001
File: functions/payment_processor/src/index.ts
Line: 42
Message: SFN-001: Functions invocation context credential leak.
`context.accessToken` is passed to `console.log`. The
Functions runtime mints a fresh session token per
invocation; logging it sends a live credential to the
container's log stream.