Table of Contents
ApexBadCrypto
Since: PMD 5.5.3
Priority: Medium (3)
The rule makes sure you are using randomly generated IVs and keys for Crypto
calls.
Hard-wiring these values greatly compromises the security of encrypted data.
This rule is defined by the following Java class: net.sourceforge.pmd.lang.apex.rule.security.ApexBadCryptoRule
Example(s):
public without sharing class Foo {
Blob hardCodedIV = Blob.valueOf('Hardcoded IV 123');
Blob hardCodedKey = Blob.valueOf('0000000000000000');
Blob data = Blob.valueOf('Data to be encrypted');
Blob encrypted = Crypto.encrypt('AES128', hardCodedKey, hardCodedIV, data);
}
Use this rule by referencing it:
<rule ref="category/apex/security.xml/ApexBadCrypto" />
ApexCRUDViolation
Since: PMD 5.5.3
Priority: Medium (3)
The rule validates you are checking for access permissions before a SOQL/SOSL/DML operation. Since Apex runs by default in system mode not having proper permissions checks results in escalation of privilege and may produce runtime errors. This check forces you to handle such scenarios.
Since Winter ‘23 (API Version 56) you can enforce user mode for database operations by using
WITH USER_MODE
in SOQL. This makes Apex to respect Field-level security (FLS) and object
permissions of the running user. When using user mode, no violation is reported by this rule.
By default, the rule allows access checks can be performed using system Apex provisions such as
DescribeSObjectResult.isAccessible/Createable/etc.
, the SOQL WITH SECURITY_ENFORCED
clause,
or using the open source Force.com ESAPI
class library. Because it is common to use authorization facades to assist with this task, the
rule also allows configuration of regular expression-based patterns for the methods used to
authorize each type of CRUD operation. These pattern are configured via the following properties:
createAuthMethodPattern
/createAuthMethodTypeParamIndex
- a pattern for the method used for create authorization and an optional 0-based index of the parameter passed to that method that denotes theSObjectType
being authorized for create.readAuthMethodPattern
/readAuthMethodTypeParamIndex
- a pattern for the method used for read authorization and an optional 0-based index of the parameter passed to that method that denotes theSObjectType
being authorized for read.updateAuthMethodPattern
/updateAuthMethodTypeParamIndex
- a pattern for the method used for update authorization and an optional 0-based index of the parameter passed to that method that denotes theSObjectType
being authorized for update.deleteAuthMethodPattern
/deleteAuthMethodTypeParamIndex
- a pattern for the method used for delete authorization and an optional 0-based index of the parameter passed to that method that denotes theSObjectType
being authorized for delete.undeleteAuthMethodPattern
/undeleteAuthMethodTypeParamIndex
- a pattern for the method used for undelete authorization and an optional 0-based index of the parameter passed to that method that denotes theSObjectType
being authorized for undelete.mergeAuthMethodPattern
/mergeAuthMethodTypeParamIndex
- a pattern for the method used for merge authorization and an optional 0-based index of the parameter passed to that method that denotes theSObjectType
being authorized for merge.
The following example shows how the rule can be configured for the
sirono-common
AuthorizationUtil
class:
<rule ref="category/apex/security.xml/ApexCRUDViolation" message="Validate CRUD permission before SOQL/DML operation">
<priority>3</priority>
<properties>
<property name="createAuthMethodPattern" value="AuthorizationUtil\.(is|assert)(Createable|Upsertable)"/>
<property name="readAuthMethodPattern" value="AuthorizationUtil\.(is|assert)Accessible"/>
<property name="updateAuthMethodPattern" value="AuthorizationUtil\.(is|assert)(Updateable|Upsertable)"/>
<property name="deleteAuthMethodPattern" value="AuthorizationUtil\.(is|assert)Deletable"/>
<property name="undeleteAuthMethodPattern" value="AuthorizationUtil\.(is|assert)Undeletable"/>
<property name="mergeAuthMethodPattern" value="AuthorizationUtil\.(is|assert)Mergeable"/>
</properties>
</rule>
Note: This rule will produce false positives for VF getter methods. In VF getters the access permission check happens automatically and is not needed explicitly. However, the rule can’t reliably determine whether a getter is a VF getter or not and reports a violation in any case. In such cases, the violation should be suppressed.
This rule is defined by the following Java class: net.sourceforge.pmd.lang.apex.rule.security.ApexCRUDViolationRule
Example(s):
public class Foo {
public Contact foo(String status, String ID) {
// validate you can actually query what you intend to retrieve
Contact c = [SELECT Status__c FROM Contact WHERE Id=:ID WITH SECURITY_ENFORCED];
// Make sure we can update the database before even trying
if (!Schema.sObjectType.Contact.fields.Status__c.isUpdateable()) {
return null;
}
c.Status__c = status;
update c;
return c;
}
}
This rule has the following properties:
Name | Default Value | Description | Multivalued |
---|---|---|---|
updateAuthMethodPattern | A regular expression for one or more custom update authorization method name patterns. | no | |
updateAuthMethodTypeParamIndex | 0 | The 0-based index of the sObjectType parameter for the custom update authorization method. Defaults to 0. | no |
readAuthMethodPattern | A regular expression for one or more custom read authorization method name patterns. | no | |
readAuthMethodTypeParamIndex | 0 | The 0-based index of the sObjectType parameter for the custom read authorization method. Defaults to 0. | no |
undeleteAuthMethodPattern | A regular expression for one or more custom undelete authorization method name patterns. | no | |
undeleteAuthMethodTypeParamIndex | 0 | The 0-based index of the sObjectType parameter for the custom undelete authorization method. Defaults to 0. | no |
deleteAuthMethodPattern | A regular expression for one or more custom delete authorization method name patterns. | no | |
deleteAuthMethodTypeParamIndex | 0 | The 0-based index of the sObjectType parameter for the custom delete authorization method. Defaults to 0. | no |
mergeAuthMethodPattern | A regular expression for one or more custom merge authorization method name patterns. | no | |
mergeAuthMethodTypeParamIndex | 0 | The 0-based index of the sObjectType parameter for the custom merge authorization method. Defaults to 0. | no |
createAuthMethodPattern | A regular expression for one or more custom create authorization method name patterns. | no | |
createAuthMethodTypeParamIndex | 0 | The 0-based index of the sObjectType parameter for the custom create authorization method. Defaults to 0. | no |
Use this rule with the default properties by just referencing it:
<rule ref="category/apex/security.xml/ApexCRUDViolation" />
Use this rule and customize it:
<rule ref="category/apex/security.xml/ApexCRUDViolation">
<properties>
<property name="updateAuthMethodPattern" value="" />
<property name="updateAuthMethodTypeParamIndex" value="0" />
<property name="readAuthMethodPattern" value="" />
<property name="readAuthMethodTypeParamIndex" value="0" />
<property name="undeleteAuthMethodPattern" value="" />
<property name="undeleteAuthMethodTypeParamIndex" value="0" />
<property name="deleteAuthMethodPattern" value="" />
<property name="deleteAuthMethodTypeParamIndex" value="0" />
<property name="mergeAuthMethodPattern" value="" />
<property name="mergeAuthMethodTypeParamIndex" value="0" />
<property name="createAuthMethodPattern" value="" />
<property name="createAuthMethodTypeParamIndex" value="0" />
</properties>
</rule>
ApexCSRF
Deprecated
The rule has been moved to another ruleset. Use instead: ApexCSRF
Deprecated
Since: PMD 5.5.3
Priority: Medium (3)
Having DML operations in Apex class constructor or initializers can have unexpected side effects: By just accessing a page, the DML statements would be executed and the database would be modified. Just querying the database is permitted.
In addition to constructors and initializers, any method called init
is checked as well.
Salesforce Apex already protects against this scenario and raises a runtime exception.
Note: This rule has been moved from category "Security" to "Error Prone" with PMD 6.21.0, since using DML in constructors is not a security problem, but crashes the application.
This rule is defined by the following Java class: net.sourceforge.pmd.lang.apex.rule.errorprone.ApexCSRFRule
Example(s):
public class Foo {
// initializer
{
insert data;
}
// static initializer
static {
insert data;
}
// constructor
public Foo() {
insert data;
}
}
Use this rule by referencing it:
<rule ref="category/apex/security.xml/ApexCSRF" />
ApexDangerousMethods
Since: PMD 5.5.3
Priority: Medium (3)
Checks against calling dangerous methods.
For the time being, it reports:
- Against
FinancialForce
’sConfiguration.disableTriggerCRUDSecurity()
. Disabling CRUD security opens the door to several attacks and requires manual validation, which is unreliable. - Calling
System.debug
passing sensitive data as parameter, which could lead to exposure of private data.
This rule is defined by the following Java class: net.sourceforge.pmd.lang.apex.rule.security.ApexDangerousMethodsRule
Example(s):
public class Foo {
public Foo() {
Configuration.disableTriggerCRUDSecurity();
}
}
Use this rule by referencing it:
<rule ref="category/apex/security.xml/ApexDangerousMethods" />
ApexInsecureEndpoint
Since: PMD 5.5.3
Priority: Medium (3)
Checks against accessing endpoints under plain http. You should always use https for security.
This rule is defined by the following Java class: net.sourceforge.pmd.lang.apex.rule.security.ApexInsecureEndpointRule
Example(s):
public without sharing class Foo {
void foo() {
HttpRequest req = new HttpRequest();
req.setEndpoint('http://localhost:com');
}
}
Use this rule by referencing it:
<rule ref="category/apex/security.xml/ApexInsecureEndpoint" />
ApexOpenRedirect
Since: PMD 5.5.3
Priority: Medium (3)
Checks against redirects to user-controlled locations. This prevents attackers from redirecting users to phishing sites.
This rule is defined by the following Java class: net.sourceforge.pmd.lang.apex.rule.security.ApexOpenRedirectRule
Example(s):
public without sharing class Foo {
String unsafeLocation = ApexPage.getCurrentPage().getParameters.get('url_param');
PageReference page() {
return new PageReference(unsafeLocation);
}
}
Use this rule by referencing it:
<rule ref="category/apex/security.xml/ApexOpenRedirect" />
ApexSharingViolations
Since: PMD 5.5.3
Priority: Medium (3)
Detect classes declared without explicit sharing mode if DML methods are used. This forces the developer to take access restrictions into account before modifying objects.
This rule is defined by the following Java class: net.sourceforge.pmd.lang.apex.rule.security.ApexSharingViolationsRule
Example(s):
public without sharing class Foo {
// DML operation here
}
Use this rule by referencing it:
<rule ref="category/apex/security.xml/ApexSharingViolations" />
ApexSOQLInjection
Since: PMD 5.5.3
Priority: Medium (3)
Detects the usage of untrusted / unescaped variables in DML queries.
This rule is defined by the following Java class: net.sourceforge.pmd.lang.apex.rule.security.ApexSOQLInjectionRule
Example(s):
public class Foo {
public void test1(String t1) {
Database.query('SELECT Id FROM Account' + t1);
}
}
Use this rule by referencing it:
<rule ref="category/apex/security.xml/ApexSOQLInjection" />
ApexSuggestUsingNamedCred
Since: PMD 5.5.3
Priority: Medium (3)
Detects hardcoded credentials used in requests to an endpoint.
You should refrain from hardcoding credentials:
- They are hard to mantain by being mixed in application code
- Particularly hard to update them when used from different classes
- Granting a developer access to the codebase means granting knowledge of credentials, keeping a two-level access is not possible.
- Using different credentials for different environments is troublesome and error-prone.
Instead, you should use Named Credentials and a callout endpoint.
For more information, you can check this
This rule is defined by the following Java class: net.sourceforge.pmd.lang.apex.rule.security.ApexSuggestUsingNamedCredRule
Example(s):
public class Foo {
public void foo(String username, String password) {
Blob headerValue = Blob.valueOf(username + ':' + password);
String authorizationHeader = 'BASIC ' + EncodingUtil.base64Encode(headerValue);
req.setHeader('Authorization', authorizationHeader);
}
}
Use this rule by referencing it:
<rule ref="category/apex/security.xml/ApexSuggestUsingNamedCred" />
ApexXSSFromEscapeFalse
Since: PMD 5.5.3
Priority: Medium (3)
Reports on calls to addError
with disabled escaping. The message passed to addError
will be displayed directly to the user in the UI, making it prime ground for XSS
attacks if unescaped.
This rule is defined by the following Java class: net.sourceforge.pmd.lang.apex.rule.security.ApexXSSFromEscapeFalseRule
Example(s):
public without sharing class Foo {
Trigger.new[0].addError(vulnerableHTMLGoesHere, false);
}
Use this rule by referencing it:
<rule ref="category/apex/security.xml/ApexXSSFromEscapeFalse" />
ApexXSSFromURLParam
Since: PMD 5.5.3
Priority: Medium (3)
Makes sure that all values obtained from URL parameters are properly escaped / sanitized to avoid XSS attacks.
This rule is defined by the following Java class: net.sourceforge.pmd.lang.apex.rule.security.ApexXSSFromURLParamRule
Example(s):
public without sharing class Foo {
String unescapedstring = ApexPage.getCurrentPage().getParameters.get('url_param');
String usedLater = unescapedstring;
}
Use this rule by referencing it:
<rule ref="category/apex/security.xml/ApexXSSFromURLParam" />