rspec/rules/S5392/apex/rule.adoc

SOQL queries, just as SQL queries, are sensitive to injection attacks. An injection attack happens when a user-controlled value is inserted in a query without proper sanitization. This enables attackers to access sensitive information or even perform unauthorized data modification.


This rule raises an issue when one of the methods ``++Database.query++``, ``++Database.countQuery++`` is called with a string which was build by:

* calling ``++String.format++``
* concatenation (string + string)
* calling ``++String.replace++``, ``++String.replaceAll++``, ``++String.replaceFirst++``

AND the strings provided were not hardcoded nor sanitized by ``++string.escapeSingleQuotes++``


== Ask Yourself Whether

* The SOQL query is built using string formatting technics, such as concatenating variables.
* Some of the values are coming from an untrusted source and are not sanitized.

There is a risk if you answered yes to any of those questions.


== Recommended Secure Coding Practices

* Use static queries with bind variables whenever possible. This is the best way to prevent SOQL injections. Even when there is no injection possible it will at least make code review easier.
* If you really have to use dynamic queries, sanitize all values with while-listing, type-casting or ``++string.escapeSingleQuotes()++``. See the links below for examples.


== Sensitive Code Example

----
public class My {
    public getContact(String firstname) {
        String query = 'SELECT id FROM Contact WHERE firstname =\''+firstname+'\'';
        return Database.execute(query);  // Sensitive
    }
}
----


== Compliant Solution

[source,apex]
----
public class My {
    public getContactSafe(String firstname) {
        String query = 'SELECT id FROM Contact WHERE firstname =\''+String.escapeSingleQuotes(firstname)+'\'';
        return Database.execute(query);  // Compliant
    }
}
----


== See

* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection
* https://trailhead.salesforce.com/en/content/learn/modules/secure-serverside-development/mitigate-soql-injection[Prevent SOQL Injection in Your Code]
* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection
* https://cwe.mitre.org/data/definitions/20[MITRE, CWE-20] - Improper Input Validation
* https://cwe.mitre.org/data/definitions/89[MITRE, CWE-89] - Improper Neutralization of Special Elements used in an SQL Command

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Make sure that formatting this SOQL query is safe here.


endif::env-github,rspecator-view[]
Modify Rules: Multiple typo on missing hyphens (#660) 2021-12-13 16:18:55 +01:00			`SOQL queries, just as SQL queries, are sensitive to injection attacks. An injection attack happens when a user-controlled value is inserted in a query without proper sanitization. This enables attackers to access sensitive information or even perform unauthorized data modification.`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00

			This rule raises an issue when one of the methods ``++Database.query++``, ``++Database.countQuery++`` is called with a string which was build by:

			* calling ``++String.format++``
			`* concatenation (string + string)`
			* calling ``++String.replace++``, ``++String.replaceAll++``, ``++String.replaceFirst++``

			AND the strings provided were not hardcoded nor sanitized by ``++string.escapeSingleQuotes++``

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Ask Yourself Whether`

			`* The SOQL query is built using string formatting technics, such as concatenating variables.`
			`* Some of the values are coming from an untrusted source and are not sanitized.`

			`There is a risk if you answered yes to any of those questions.`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Recommended Secure Coding Practices`

			`* Use static queries with bind variables whenever possible. This is the best way to prevent SOQL injections. Even when there is no injection possible it will at least make code review easier.`
			* If you really have to use dynamic queries, sanitize all values with while-listing, type-casting or ``++string.escapeSingleQuotes()++``. See the links below for examples.

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Sensitive Code Example`

			`----`
			`public class My {`
			`public getContact(String firstname) {`
			`String query = 'SELECT id FROM Contact WHERE firstname =\''+firstname+'\'';`
			`return Database.execute(query); // Sensitive`
			`}`
			`}`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Compliant Solution`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,apex]`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`----`
			`public class My {`
			`public getContactSafe(String firstname) {`
			`String query = 'SELECT id FROM Contact WHERE firstname =\''+String.escapeSingleQuotes(firstname)+'\'';`
			`return Database.execute(query); // Compliant`
			`}`
			`}`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== See`

RULEAPI-709: Security rules are mapped to the OWASP Top 10 2021 security-standard (#545) 2021-11-01 15:00:32 +01:00			`* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`* https://trailhead.salesforce.com/en/content/learn/modules/secure-serverside-development/mitigate-soql-injection[Prevent SOQL Injection in Your Code]`
Modify: Fix old/broken embedded links (#1100) 2022-07-08 13:58:56 +02:00			`* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection`
RULEAPI-755 Update CWE URLs by removing .html suffix and update with https protocol (#926) * Change affects only see.adoc and rule.adoc files, not comments-and-links.adoc files 2022-04-07 08:53:59 -05:00			`* https://cwe.mitre.org/data/definitions/20[MITRE, CWE-20] - Improper Input Validation`
Fix CWE mapping (#1128) 2022-08-18 10:33:50 +02:00			`* https://cwe.mitre.org/data/definitions/89[MITRE, CWE-89] - Improper Neutralization of Special Elements used in an SQL Command`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Message`

			`Make sure that formatting this SOQL query is safe here.`

RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`endif::env-github,rspecator-view[]`