PingOne DaVinci

Using custom code safely

Follow these best practices to use custom code in your flows.

Custom code is a feature that lets you create your own code to include in DaVinci flows. It’s available in multiple connectors and capabilities, including:

  • Custom HTML template script field

  • Custom Functions

  • Code Snippet fields

Risks

Because custom code fields can run any code provided, they carry additional security risks.

Learn more about the risks of custom code in the Open Worldwide Application Security Project resources.

Code Execution Location

When you include custom code, it either runs on the server side or the client side, depending on the node type:

  • The Code Snippet connector and the Custom Function capability of the Functions connector run code on the server side.

  • Script fields in any other node with a customizable HTML template are run on the client side.

You need to consider where the code runs when designing and building flows. Because client-side code can be viewed, you shouldn’t include sensitive values in code that is run on the client side.

In addition, variable and parameter values included in custom code have their values added in different ways, which can impact your flow design.

  • Variable values included using the {{global.variables.variableName}} structure have the value substituted on the server side before the code runs, replacing the structure with the unescaped value or, if the variable value is a object, a stringified version. This means that, if you want to include non-static HTML in your custom code, you should use variables and not parameters.

  • Parameters included using the {{parameterName}} structure are sent as an additional argument to the client, where Handlebars uses it to process the template. This does escape any special characters in the parameter value.

If you want to use an object or a portion of an object in custom code, you can use the following methods, ordered from most to least secure:

  1. Add the input properties to the node’s input schema and map the values from the source object.

  2. If the number of inputs can’t be known ahead of time, create an input property to pass the object, then use Handlebars #each, #with, and lookup helpers to access the individual values.

  3. Use an alternate syntax for the object property you want to reference. Replace the periods in the object name with slashes. For example, {{myUser/category/example}}.

  4. If you want to use JavaScript instead of Handlebars to add content, you can use input parameters using this format: (const myObject = JSON.parse({{myInput}});) or use DaVinci parameter substitution using this format: (const myObject = JSON.parse({{local.aNodeId.aCapability.output.someObject}});).

Recommendations

Follow these recommendations when using custom code fields:

  • Make sure that only trusted users can access DaVinci to add custom code.

  • Make sure that any custom code you plan to use is reviewed before it is added to user-facing flows, regardless of whether the custom code was produced by you or by a third party. You can use Semgrep as a tool for reviewing your code for security vulnerabilities.

  • Make sure that sensitive or private information isn’t exposed by any variables or run-time data processed by custom code.