pmd/pmd_rules_apex_security.html

2366 lines
78 KiB
HTML
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="Rules that flag potential security flaws.">
<meta name="keywords" content=" Security, ApexBadCrypto, ApexCRUDViolation, ApexDangerousMethods, ApexInsecureEndpoint, ApexOpenRedirect, ApexSharingViolations, ApexSOQLInjection, ApexSuggestUsingNamedCred, ApexXSSFromEscapeFalse, ApexXSSFromURLParam">
<title>Security | PMD Source Code Analyzer</title>
<link rel="stylesheet" type="text/css" href="assets/fontawesome-free-5.15.4-web/css/all.min.css">
<link rel="stylesheet" type="text/css" href="assets/bootstrap-4.5.2-dist/css/bootstrap.min.css">
<link rel="stylesheet" type="text/css" href="css/syntax.css">
<link rel="stylesheet" type="text/css" href="css/modern-business.css">
<link rel="stylesheet" type="text/css" href="css/customstyles.css">
<link rel="stylesheet" type="text/css" href="css/theme-green.css">
<link rel="stylesheet" type="text/css" href="css/pmd-customstyles.css">
<link rel="shortcut icon" href="images/logo/favicon.ico" type="image/x-icon">
<link rel="icon" href="images/logo/favicon.ico" type="image/x-icon">
<link rel="alternate" type="application/rss+xml" title="" href="feed.xml">
</head>
<body>
<!-- Content is offset by the height of the topnav bar. -->
<!-- There's already a padding-top rule in modern-business.css, but it apparently doesn't work on Firefox 60 and Chrome 67 -->
<div id="topbar-content-offset">
<!-- Navigation -->
<nav class="navbar navbar-expand-lg fixed-top navbar-dark">
<div class="container topnavlinks">
<a class="navbar-brand fas fa-home fa-lg" href="index.html">&nbsp;<span class="projectTitle"> PMD Source Code Analyzer Project</span></a>
<button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarSupportedContent" aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation">
<span class="navbar-toggler-icon"></span>
</button>
<div class="collapse navbar-collapse" id="navbarSupportedContent">
<ul class="navbar-nav mr-auto mt-2 mt-lg-0"></ul>
<ul class="navbar-nav">
<!-- toggle sidebar button -->
<li class="nav-item"><a id="tg-sb-link" class="nav-link" href="#"><i id="tg-sb-icon" class="fas fa-toggle-on"></i> Nav</a></li>
<!-- entries without drop-downs appear here -->
<li class="nav-item"><a class="nav-link" href="https://github.com/pmd/pmd/releases/latest" target="_blank">Download</a></li>
<li class="nav-item"><a class="nav-link" href="https://github.com/pmd/pmd" target="_blank">Fork us on github</a></li>
<!-- entries with drop-downs appear here -->
<!-- conditional logic to control which topnav appears for the audience defined in the configuration file.-->
</ul>
<form class="form-inline my-2 my-lg-0">
<input class="form-control mr-sm-2" type="search" placeholder="search..." id="search-input">
<ul id="results-container"></ul>
</form>
</div>
</div>
</nav>
<!-- Page Content -->
<div class="container-toc-wrapper">
<div class="container">
<div class="col-lg-12">&nbsp;</div>
<!-- Content Row -->
<div class="row">
<!-- Sidebar Column -->
<div class="col-md-3" id="tg-sb-sidebar">
<ul id="mysidebar" class="nav">
<li class="sidebarTitle">PMD 7.0.0-SNAPSHOT</li>
<div class="sidebarTitleDate">Release date: ??-?????-2023</div>
<li>
<a href="#">About</a>
<ul>
<li><a href="index.html">Home</a></li>
<li><a href="pmd_release_notes.html">Release notes</a></li>
<li><a href="pmd_release_notes_pmd7.html">Release notes (PMD 7)</a></li>
<li><a href="pmd_about_help.html">Getting help</a></li>
</ul>
</li>
<li>
<a href="#">User Documentation</a>
<ul>
<li><a href="pmd_userdocs_migrating_to_pmd7.html">Migration Guide for PMD 7</a></li>
<li><a href="pmd_userdocs_installation.html">Installation and basic CLI usage</a></li>
<li><a href="pmd_userdocs_making_rulesets.html">Making rulesets</a></li>
<li><a href="pmd_userdocs_configuring_rules.html">Configuring rules</a></li>
<li><a href="pmd_userdocs_best_practices.html">Best practices</a></li>
<li><a href="pmd_userdocs_suppressing_warnings.html">Suppressing warnings</a></li>
<li><a href="pmd_userdocs_incremental_analysis.html">Incremental analysis</a></li>
<li><a href="pmd_userdocs_cli_reference.html">PMD CLI reference</a></li>
<li><a href="pmd_userdocs_report_formats.html">PMD Report formats</a></li>
<li><a href="pmd_userdocs_3rdpartyrulesets.html">3rd party rulesets</a></li>
<li class="subfolders">
<a href="#">CPD reference</a>
<ul>
<li><a href="pmd_userdocs_cpd.html">Copy-paste detection</a></li>
<li><a href="pmd_userdocs_cpd_report_formats.html">CPD Report formats</a></li>
</ul>
</li>
<li class="subfolders">
<a href="#">Extending PMD</a>
<ul>
<li><a href="pmd_userdocs_extending_writing_rules_intro.html">Introduction to writing rules</a></li>
<li><a href="pmd_userdocs_extending_your_first_rule.html">Your first rule</a></li>
<li><a href="pmd_userdocs_extending_writing_xpath_rules.html">XPath rules</a></li>
<li><a href="pmd_userdocs_extending_writing_java_rules.html">Java rules</a></li>
<li><a href="pmd_userdocs_extending_designer_reference.html">Rule designer reference</a></li>
<li><a href="pmd_userdocs_extending_defining_properties.html">Defining rule properties</a></li>
<li><a href="pmd_userdocs_extending_rule_guidelines.html">Rule guidelines</a></li>
<li><a href="pmd_userdocs_extending_testing.html">Testing your rules</a></li>
<li><a href="pmd_userdocs_extending_ast_dump.html">Creating (XML) dump of the AST</a></li>
</ul>
</li>
<li class="subfolders">
<a href="#">Tools / Integrations</a>
<ul>
<li><a href="pmd_userdocs_tools_maven.html">Maven PMD Plugin</a></li>
<li><a href="pmd_userdocs_tools_gradle.html">Gradle</a></li>
<li><a href="pmd_userdocs_tools_ant.html">Ant</a></li>
<li><a href="pmd_userdocs_tools_java_api.html">PMD Java API</a></li>
<li><a href="pmd_userdocs_tools_bld.html">bld PMD Extension</a></li>
<li><a href="pmd_userdocs_tools_ci.html">CI integrations</a></li>
<li><a href="pmd_userdocs_tools.html">Other Tools / Integrations</a></li>
</ul>
</li>
</ul>
</li>
<li>
<a href="#">Rule Reference</a>
<ul>
<li class="subfolders">
<a href="#">Apex Rules</a>
<ul>
<li><a href="pmd_rules_apex.html">Index</a></li>
<li><a href="pmd_rules_apex_bestpractices.html">Best Practices</a></li>
<li><a href="pmd_rules_apex_codestyle.html">Code Style</a></li>
<li><a href="pmd_rules_apex_design.html">Design</a></li>
<li><a href="pmd_rules_apex_documentation.html">Documentation</a></li>
<li><a href="pmd_rules_apex_errorprone.html">Error Prone</a></li>
<li><a href="pmd_rules_apex_performance.html">Performance</a></li>
<li class="active"><a href="pmd_rules_apex_security.html">Security</a></li>
</ul>
</li>
<li class="subfolders">
<a href="#">HTML Rules</a>
<ul>
<li><a href="pmd_rules_html.html">Index</a></li>
<li><a href="pmd_rules_html_bestpractices.html">Best Practices</a></li>
</ul>
</li>
<li class="subfolders">
<a href="#">Java Rules</a>
<ul>
<li><a href="pmd_rules_java.html">Index</a></li>
<li><a href="pmd_rules_java_bestpractices.html">Best Practices</a></li>
<li><a href="pmd_rules_java_codestyle.html">Code Style</a></li>
<li><a href="pmd_rules_java_design.html">Design</a></li>
<li><a href="pmd_rules_java_documentation.html">Documentation</a></li>
<li><a href="pmd_rules_java_errorprone.html">Error Prone</a></li>
<li><a href="pmd_rules_java_multithreading.html">Multithreading</a></li>
<li><a href="pmd_rules_java_performance.html">Performance</a></li>
<li><a href="pmd_rules_java_security.html">Security</a></li>
</ul>
</li>
<li class="subfolders">
<a href="#">Java Server Pages Rules</a>
<ul>
<li><a href="pmd_rules_jsp.html">Index</a></li>
<li><a href="pmd_rules_jsp_bestpractices.html">Best Practices</a></li>
<li><a href="pmd_rules_jsp_codestyle.html">Code Style</a></li>
<li><a href="pmd_rules_jsp_design.html">Design</a></li>
<li><a href="pmd_rules_jsp_errorprone.html">Error Prone</a></li>
<li><a href="pmd_rules_jsp_security.html">Security</a></li>
</ul>
</li>
<li class="subfolders">
<a href="#">JavaScript Rules</a>
<ul>
<li><a href="pmd_rules_ecmascript.html">Index</a></li>
<li><a href="pmd_rules_ecmascript_bestpractices.html">Best Practices</a></li>
<li><a href="pmd_rules_ecmascript_codestyle.html">Code Style</a></li>
<li><a href="pmd_rules_ecmascript_errorprone.html">Error Prone</a></li>
</ul>
</li>
<li class="subfolders">
<a href="#">Kotlin Rules</a>
<ul>
<li><a href="pmd_rules_kotlin.html">Index</a></li>
<li><a href="pmd_rules_kotlin_bestpractices.html">Best Practices</a></li>
<li><a href="pmd_rules_kotlin_errorprone.html">Error Prone</a></li>
</ul>
</li>
<li class="subfolders">
<a href="#">Maven POM Rules</a>
<ul>
<li><a href="pmd_rules_pom.html">Index</a></li>
<li><a href="pmd_rules_pom_errorprone.html">Error Prone</a></li>
</ul>
</li>
<li class="subfolders">
<a href="#">Modelica Rules</a>
<ul>
<li><a href="pmd_rules_modelica.html">Index</a></li>
<li><a href="pmd_rules_modelica_bestpractices.html">Best Practices</a></li>
</ul>
</li>
<li class="subfolders">
<a href="#">PLSQL Rules</a>
<ul>
<li><a href="pmd_rules_plsql.html">Index</a></li>
<li><a href="pmd_rules_plsql_bestpractices.html">Best Practices</a></li>
<li><a href="pmd_rules_plsql_codestyle.html">Code Style</a></li>
<li><a href="pmd_rules_plsql_design.html">Design</a></li>
<li><a href="pmd_rules_plsql_errorprone.html">Error Prone</a></li>
</ul>
</li>
<li class="subfolders">
<a href="#">Salesforce Visualforce Rules</a>
<ul>
<li><a href="pmd_rules_vf.html">Index</a></li>
<li><a href="pmd_rules_vf_security.html">Security</a></li>
</ul>
</li>
<li class="subfolders">
<a href="#">Scala Rules</a>
<ul>
<li><a href="pmd_rules_scala.html">Index</a></li>
</ul>
</li>
<li class="subfolders">
<a href="#">Swift Rules</a>
<ul>
<li><a href="pmd_rules_swift.html">Index</a></li>
<li><a href="pmd_rules_swift_bestpractices.html">Best Practices</a></li>
<li><a href="pmd_rules_swift_errorprone.html">Error Prone</a></li>
</ul>
</li>
<li class="subfolders">
<a href="#">Velocity Template Language (VTL) Rules</a>
<ul>
<li><a href="pmd_rules_vm.html">Index</a></li>
<li><a href="pmd_rules_vm_bestpractices.html">Best Practices</a></li>
<li><a href="pmd_rules_vm_design.html">Design</a></li>
<li><a href="pmd_rules_vm_errorprone.html">Error Prone</a></li>
</ul>
</li>
<li class="subfolders">
<a href="#">WSDL Rules</a>
<ul>
<li><a href="pmd_rules_wsdl.html">Index</a></li>
</ul>
</li>
<li class="subfolders">
<a href="#">XML Rules</a>
<ul>
<li><a href="pmd_rules_xml.html">Index</a></li>
<li><a href="pmd_rules_xml_bestpractices.html">Best Practices</a></li>
<li><a href="pmd_rules_xml_errorprone.html">Error Prone</a></li>
</ul>
</li>
<li class="subfolders">
<a href="#">XSL Rules</a>
<ul>
<li><a href="pmd_rules_xsl.html">Index</a></li>
<li><a href="pmd_rules_xsl_codestyle.html">Code Style</a></li>
<li><a href="pmd_rules_xsl_performance.html">Performance</a></li>
</ul>
</li>
</ul>
</li>
<li>
<a href="#">Language-Specific Documentation</a>
<ul>
<li><a href="pmd_languages_index.html">Overview</a></li>
<li><a href="pmd_languages_configuration.html">Language configuration</a></li>
<li><a href="pmd_languages_apex.html">Apex</a></li>
<li><a href="pmd_languages_cpp.html">C/C++</a></li>
<li><a href="pmd_languages_cs.html">C#</a></li>
<li><a href="pmd_languages_coco.html">Coco</a></li>
<li><a href="pmd_languages_dart.html">Dart</a></li>
<li><a href="pmd_languages_fortran.html">Fortran</a></li>
<li><a href="pmd_languages_gherkin.html">Gherkin</a></li>
<li><a href="pmd_languages_go.html">Go</a></li>
<li><a href="pmd_languages_html.html">HTML</a></li>
<li><a href="pmd_languages_java.html">Java</a></li>
<li><a href="pmd_languages_js_ts.html">JavaScript / TypeScript</a></li>
<li><a href="pmd_languages_jsp.html">JSP</a></li>
<li><a href="pmd_languages_julia.html">Julia</a></li>
<li><a href="pmd_languages_kotlin.html">Kotlin</a></li>
<li><a href="pmd_languages_lua.html">Lua</a></li>
<li><a href="pmd_languages_matlab.html">Matlab</a></li>
<li><a href="pmd_languages_modelica.html">Modelica</a></li>
<li><a href="pmd_languages_objectivec.html">Objective-C</a></li>
<li><a href="pmd_languages_perl.html">Perl</a></li>
<li><a href="pmd_languages_php.html">PHP</a></li>
<li><a href="pmd_languages_plsql.html">PLSQL</a></li>
<li><a href="pmd_languages_python.html">Python</a></li>
<li><a href="pmd_languages_ruby.html">Ruby</a></li>
<li><a href="pmd_languages_scala.html">Scala</a></li>
<li><a href="pmd_languages_swift.html">Swift</a></li>
<li><a href="pmd_languages_tsql.html">T-SQL</a></li>
<li><a href="pmd_languages_visualforce.html">Visualforce</a></li>
<li><a href="pmd_languages_vm.html">Velocity Template Language (VTL)</a></li>
<li><a href="pmd_languages_xml.html">XML and XML dialects</a></li>
</ul>
</li>
<li>
<a href="#">Developer Documentation</a>
<ul>
<li><a href="pmd_devdocs_development.html">Developer resources</a></li>
<li><a href="pmd_devdocs_building.html">Building PMD from source</a></li>
<li><a href="https://github.com/pmd/pmd/blob/master/CONTRIBUTING.md" target="_blank">Contributing</a></li>
<li><a href="pmd_devdocs_writing_documentation.html">Writing documentation</a></li>
<li><a href="pmd_devdocs_roadmap.html">Roadmap</a></li>
<li><a href="pmd_devdocs_how_pmd_works.html">How PMD works</a></li>
<li><a href="pmd_devdocs_pmdtester.html">Pmdtester</a></li>
<li><a href="pmd_devdocs_rule_deprecation_policy.html">Rule Deprecation Policy</a></li>
<li class="subfolders">
<a href="#">Major contributions</a>
<ul>
<li><a href="pmd_devdocs_major_rule_guidelines.html">Rule Guidelines</a></li>
<li><a href="pmd_devdocs_major_adding_new_language_javacc.html">Adding a new language (JavaCC)</a></li>
<li><a href="pmd_devdocs_major_adding_new_language_antlr.html">Adding a new language (ANTLR)</a></li>
<li><a href="pmd_devdocs_major_adding_new_cpd_language.html">Adding a new CPD language</a></li>
</ul>
</li>
<li class="subfolders">
<a href="#">Experimental features</a>
<ul>
<li><a href="tag_experimental.html">List of experimental Features</a></li>
</ul>
</li>
</ul>
</li>
<li>
<a href="#">Project documentation</a>
<ul>
<li class="subfolders">
<a href="#">Trivia about PMD</a>
<ul>
<li><a href="pmd_projectdocs_trivia_news.html">PMD in the press</a></li>
<li><a href="pmd_projectdocs_trivia_products.html">Products & books related to PMD</a></li>
<li><a href="pmd_projectdocs_trivia_similarprojects.html">Similar projects</a></li>
<li><a href="pmd_projectdocs_trivia_meaning.html">What does 'PMD' mean?</a></li>
</ul>
</li>
<li><a href="pmd_projectdocs_logo.html">Logo</a></li>
<li><a href="pmd_projectdocs_faq.html">FAQ</a></li>
<li><a href="license.html">License</a></li>
<li><a href="pmd_projectdocs_credits.html">Credits</a></li>
<li><a href="pmd_release_notes_old.html">Old release notes</a></li>
<li><a href="pmd_projectdocs_decisions.html">Decisions</a></li>
<li class="subfolders">
<a href="#">Project management</a>
<ul>
<li><a href="pmd_projectdocs_committers_infrastructure.html">Infrastructure</a></li>
<li><a href="pmd_projectdocs_committers_releasing.html">Release process</a></li>
<li><a href="pmd_projectdocs_committers_merging_pull_requests.html">Merging pull requests</a></li>
<li><a href="pmd_projectdocs_committers_main_landing_page.html">Main Landing page</a></li>
</ul>
</li>
</ul>
</li>
</ul>
</div>
<!-- Content Column -->
<div class="col-md-9" id="tg-sb-content">
<header>
<div class="row">
<div class="col-lg-12">
<a href="./" role="button"
><i class="fa fa-home fa-lg"></i
></a>
» Security
<a
target="_blank"
href="https://github.com/pmd/pmd/blob/master/docs/../pmd-apex/src/main/resources/category/apex/security.xml"
class="float-right"
role="button"
><i class="fab fa-github fa-lg"></i> Edit on GitHub</a
>
</div>
</div>
<hr />
</header>
<div class="post-header">
<h1 class="post-title-main">Security</h1>
</div>
<div class="post-content" data-github-edit-url="https://github.com/pmd/pmd/blob/master/docs/../pmd-apex/src/main/resources/category/apex/security.xml">
<div class="summary">Rules that flag potential security flaws.</div>
<details id="inline-toc-details">
<summary>Table of Contents</summary>
<div id="inline-toc"><!-- empty, move TOC here when screen size too small --></div>
</details>
<!-- DO NOT EDIT THIS FILE. This file is generated from file ../pmd-apex/src/main/resources/category/apex/security.xml. -->
<h2 id="apexbadcrypto">ApexBadCrypto</h2>
<p><strong>Since:</strong> PMD 5.5.3</p>
<p><strong>Priority:</strong> Medium (3)</p>
<p>The rule makes sure you are using randomly generated IVs and keys for <code class="language-plaintext highlighter-rouge">Crypto</code> calls.
Hard-wiring these values greatly compromises the security of encrypted data.</p>
<p><strong>This rule is defined by the following Java class:</strong> <a href="https://github.com/pmd/pmd/blob/master/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexBadCryptoRule.java">net.sourceforge.pmd.lang.apex.rule.security.ApexBadCryptoRule</a></p>
<p><strong>Example(s):</strong></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">public</span> <span class="n">without</span> <span class="n">sharing</span> <span class="kd">class</span> <span class="nc">Foo</span> <span class="o">{</span>
<span class="nc">Blob</span> <span class="n">hardCodedIV</span> <span class="o">=</span> <span class="nc">Blob</span><span class="o">.</span><span class="na">valueOf</span><span class="o">(</span><span class="err">'</span><span class="nc">Hardcoded</span> <span class="no">IV</span> <span class="mi">123</span><span class="err">'</span><span class="o">);</span>
<span class="nc">Blob</span> <span class="n">hardCodedKey</span> <span class="o">=</span> <span class="nc">Blob</span><span class="o">.</span><span class="na">valueOf</span><span class="o">(</span><span class="err">'</span><span class="mo">0000000000000000</span><span class="err">'</span><span class="o">);</span>
<span class="nc">Blob</span> <span class="n">data</span> <span class="o">=</span> <span class="nc">Blob</span><span class="o">.</span><span class="na">valueOf</span><span class="o">(</span><span class="err">'</span><span class="nc">Data</span> <span class="n">to</span> <span class="n">be</span> <span class="n">encrypted</span><span class="err">'</span><span class="o">);</span>
<span class="nc">Blob</span> <span class="n">encrypted</span> <span class="o">=</span> <span class="nc">Crypto</span><span class="o">.</span><span class="na">encrypt</span><span class="o">(</span><span class="err">'</span><span class="no">AES128</span><span class="err">'</span><span class="o">,</span> <span class="n">hardCodedKey</span><span class="o">,</span> <span class="n">hardCodedIV</span><span class="o">,</span> <span class="n">data</span><span class="o">);</span>
<span class="o">}</span>
</code></pre></div></div>
<p><strong>Use this rule by referencing it:</strong></p>
<div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt">&lt;rule</span> <span class="na">ref=</span><span class="s">"category/apex/security.xml/ApexBadCrypto"</span> <span class="nt">/&gt;</span>
</code></pre></div></div>
<h2 id="apexcrudviolation">ApexCRUDViolation</h2>
<p><strong>Since:</strong> PMD 5.5.3</p>
<p><strong>Priority:</strong> Medium (3)</p>
<p>The rule validates you are checking for access permissions before a SOQL/SOSL/DML operation.
Since Apex runs by default in system mode not having proper permissions checks results in escalation of
privilege and may produce runtime errors. This check forces you to handle such scenarios.</p>
<p>Since Winter 23 (API Version 56) you can enforce user mode for database operations by using
<code class="language-plaintext highlighter-rouge">WITH USER_MODE</code> in SOQL. This makes Apex to respect Field-level security (FLS) and object
permissions of the running user. When using user mode, no violation is reported by this rule.</p>
<p>By default, the rule allows access checks can be performed using system Apex provisions such as
<code class="language-plaintext highlighter-rouge">DescribeSObjectResult.isAccessible/Createable/etc.</code>, the SOQL <code class="language-plaintext highlighter-rouge">WITH SECURITY_ENFORCED</code> clause,
or using the open source <a href="https://github.com/forcedotcom/force-dot-com-esapi">Force.com ESAPI</a>
class library. Because it is common to use authorization facades to assist with this task, the
rule also allows configuration of regular expression-based patterns for the methods used to
authorize each type of CRUD operation. These pattern are configured via the following properties:</p>
<ul>
<li><code class="language-plaintext highlighter-rouge">createAuthMethodPattern</code>/<code class="language-plaintext highlighter-rouge">createAuthMethodTypeParamIndex</code> - a pattern for the method used
for create authorization and an optional 0-based index of the parameter passed to that method
that denotes the <code class="language-plaintext highlighter-rouge">SObjectType</code> being authorized for create.</li>
<li><code class="language-plaintext highlighter-rouge">readAuthMethodPattern</code>/<code class="language-plaintext highlighter-rouge">readAuthMethodTypeParamIndex</code> - a pattern for the method used
for read authorization and an optional 0-based index of the parameter passed to that method
that denotes the <code class="language-plaintext highlighter-rouge">SObjectType</code> being authorized for read.</li>
<li><code class="language-plaintext highlighter-rouge">updateAuthMethodPattern</code>/<code class="language-plaintext highlighter-rouge">updateAuthMethodTypeParamIndex</code> - a pattern for the method used
for update authorization and an optional 0-based index of the parameter passed to that method
that denotes the <code class="language-plaintext highlighter-rouge">SObjectType</code> being authorized for update.</li>
<li><code class="language-plaintext highlighter-rouge">deleteAuthMethodPattern</code>/<code class="language-plaintext highlighter-rouge">deleteAuthMethodTypeParamIndex</code> - a pattern for the method used
for delete authorization and an optional 0-based index of the parameter passed to that method
that denotes the <code class="language-plaintext highlighter-rouge">SObjectType</code> being authorized for delete.</li>
<li><code class="language-plaintext highlighter-rouge">undeleteAuthMethodPattern</code>/<code class="language-plaintext highlighter-rouge">undeleteAuthMethodTypeParamIndex</code> - a pattern for the method used
for undelete authorization and an optional 0-based index of the parameter passed to that method
that denotes the <code class="language-plaintext highlighter-rouge">SObjectType</code> being authorized for undelete.</li>
<li><code class="language-plaintext highlighter-rouge">mergeAuthMethodPattern</code>/<code class="language-plaintext highlighter-rouge">mergeAuthMethodTypeParamIndex</code> - a pattern for the method used
for merge authorization and an optional 0-based index of the parameter passed to that method
that denotes the <code class="language-plaintext highlighter-rouge">SObjectType</code> being authorized for merge.</li>
</ul>
<p>The following example shows how the rule can be configured for the
<a href="https://github.com/SCWells72/sirono-common">sirono-common</a>
<a href="https://github.com/SCWells72/sirono-common#authorization-utilities"><code class="language-plaintext highlighter-rouge">AuthorizationUtil</code></a> class:</p>
<div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt">&lt;rule</span> <span class="na">ref=</span><span class="s">"category/apex/security.xml/ApexCRUDViolation"</span> <span class="na">message=</span><span class="s">"Validate CRUD permission before SOQL/DML operation"</span><span class="nt">&gt;</span>
<span class="nt">&lt;priority&gt;</span>3<span class="nt">&lt;/priority&gt;</span>
<span class="nt">&lt;properties&gt;</span>
<span class="nt">&lt;property</span> <span class="na">name=</span><span class="s">"createAuthMethodPattern"</span> <span class="na">value=</span><span class="s">"AuthorizationUtil\.(is|assert)(Createable|Upsertable)"</span><span class="nt">/&gt;</span>
<span class="nt">&lt;property</span> <span class="na">name=</span><span class="s">"readAuthMethodPattern"</span> <span class="na">value=</span><span class="s">"AuthorizationUtil\.(is|assert)Accessible"</span><span class="nt">/&gt;</span>
<span class="nt">&lt;property</span> <span class="na">name=</span><span class="s">"updateAuthMethodPattern"</span> <span class="na">value=</span><span class="s">"AuthorizationUtil\.(is|assert)(Updateable|Upsertable)"</span><span class="nt">/&gt;</span>
<span class="nt">&lt;property</span> <span class="na">name=</span><span class="s">"deleteAuthMethodPattern"</span> <span class="na">value=</span><span class="s">"AuthorizationUtil\.(is|assert)Deletable"</span><span class="nt">/&gt;</span>
<span class="nt">&lt;property</span> <span class="na">name=</span><span class="s">"undeleteAuthMethodPattern"</span> <span class="na">value=</span><span class="s">"AuthorizationUtil\.(is|assert)Undeletable"</span><span class="nt">/&gt;</span>
<span class="nt">&lt;property</span> <span class="na">name=</span><span class="s">"mergeAuthMethodPattern"</span> <span class="na">value=</span><span class="s">"AuthorizationUtil\.(is|assert)Mergeable"</span><span class="nt">/&gt;</span>
<span class="nt">&lt;/properties&gt;</span>
<span class="nt">&lt;/rule&gt;</span>
</code></pre></div></div>
<p>Note: This rule will produce false positives for VF getter methods. In VF getters the access permission
check happens automatically and is not needed explicitly. However, the rule cant reliably determine
whether a getter is a VF getter or not and reports a violation in any case. In such cases, the violation
should be <a href="pmd_userdocs_suppressing_warnings.html">suppressed</a>.</p>
<p><strong>This rule is defined by the following Java class:</strong> <a href="https://github.com/pmd/pmd/blob/master/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexCRUDViolationRule.java">net.sourceforge.pmd.lang.apex.rule.security.ApexCRUDViolationRule</a></p>
<p><strong>Example(s):</strong></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">Foo</span> <span class="o">{</span>
<span class="kd">public</span> <span class="nc">Contact</span> <span class="nf">foo</span><span class="o">(</span><span class="nc">String</span> <span class="n">status</span><span class="o">,</span> <span class="nc">String</span> <span class="no">ID</span><span class="o">)</span> <span class="o">{</span>
<span class="c1">// validate you can actually query what you intend to retrieve</span>
<span class="nc">Contact</span> <span class="n">c</span> <span class="o">=</span> <span class="o">[</span><span class="no">SELECT</span> <span class="n">Status__c</span> <span class="no">FROM</span> <span class="nc">Contact</span> <span class="no">WHERE</span> <span class="nc">Id</span><span class="o">=:</span><span class="no">ID</span> <span class="no">WITH</span> <span class="no">SECURITY_ENFORCED</span><span class="o">];</span>
<span class="c1">// Make sure we can update the database before even trying</span>
<span class="k">if</span> <span class="o">(!</span><span class="nc">Schema</span><span class="o">.</span><span class="na">sObjectType</span><span class="o">.</span><span class="na">Contact</span><span class="o">.</span><span class="na">fields</span><span class="o">.</span><span class="na">Status__c</span><span class="o">.</span><span class="na">isUpdateable</span><span class="o">())</span> <span class="o">{</span>
<span class="k">return</span> <span class="kc">null</span><span class="o">;</span>
<span class="o">}</span>
<span class="n">c</span><span class="o">.</span><span class="na">Status__c</span> <span class="o">=</span> <span class="n">status</span><span class="o">;</span>
<span class="n">update</span> <span class="n">c</span><span class="o">;</span>
<span class="k">return</span> <span class="n">c</span><span class="o">;</span>
<span class="o">}</span>
<span class="o">}</span>
</code></pre></div></div>
<p><strong>This rule has the following properties:</strong></p>
<table>
<thead>
<tr>
<th>Name</th>
<th>Default Value</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>readAuthMethodPattern</td>
<td> </td>
<td>A regular expression for one or more custom read authorization method name patterns.</td>
</tr>
<tr>
<td>readAuthMethodTypeParamIndex</td>
<td>0</td>
<td>The 0-based index of the sObjectType parameter for the custom read authorization method. Defaults to 0.</td>
</tr>
<tr>
<td>mergeAuthMethodPattern</td>
<td> </td>
<td>A regular expression for one or more custom merge authorization method name patterns.</td>
</tr>
<tr>
<td>mergeAuthMethodTypeParamIndex</td>
<td>0</td>
<td>The 0-based index of the sObjectType parameter for the custom merge authorization method. Defaults to 0.</td>
</tr>
<tr>
<td>updateAuthMethodPattern</td>
<td> </td>
<td>A regular expression for one or more custom update authorization method name patterns.</td>
</tr>
<tr>
<td>updateAuthMethodTypeParamIndex</td>
<td>0</td>
<td>The 0-based index of the sObjectType parameter for the custom update authorization method. Defaults to 0.</td>
</tr>
<tr>
<td>createAuthMethodPattern</td>
<td> </td>
<td>A regular expression for one or more custom create authorization method name patterns.</td>
</tr>
<tr>
<td>createAuthMethodTypeParamIndex</td>
<td>0</td>
<td>The 0-based index of the sObjectType parameter for the custom create authorization method. Defaults to 0.</td>
</tr>
<tr>
<td>deleteAuthMethodPattern</td>
<td> </td>
<td>A regular expression for one or more custom delete authorization method name patterns.</td>
</tr>
<tr>
<td>deleteAuthMethodTypeParamIndex</td>
<td>0</td>
<td>The 0-based index of the sObjectType parameter for the custom delete authorization method. Defaults to 0.</td>
</tr>
<tr>
<td>undeleteAuthMethodPattern</td>
<td> </td>
<td>A regular expression for one or more custom undelete authorization method name patterns.</td>
</tr>
<tr>
<td>undeleteAuthMethodTypeParamIndex</td>
<td>0</td>
<td>The 0-based index of the sObjectType parameter for the custom undelete authorization method. Defaults to 0.</td>
</tr>
</tbody>
</table>
<p><strong>Use this rule with the default properties by just referencing it:</strong></p>
<div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt">&lt;rule</span> <span class="na">ref=</span><span class="s">"category/apex/security.xml/ApexCRUDViolation"</span> <span class="nt">/&gt;</span>
</code></pre></div></div>
<p><strong>Use this rule and customize it:</strong></p>
<div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt">&lt;rule</span> <span class="na">ref=</span><span class="s">"category/apex/security.xml/ApexCRUDViolation"</span><span class="nt">&gt;</span>
<span class="nt">&lt;properties&gt;</span>
<span class="nt">&lt;property</span> <span class="na">name=</span><span class="s">"readAuthMethodPattern"</span> <span class="na">value=</span><span class="s">""</span> <span class="nt">/&gt;</span>
<span class="nt">&lt;property</span> <span class="na">name=</span><span class="s">"readAuthMethodTypeParamIndex"</span> <span class="na">value=</span><span class="s">"0"</span> <span class="nt">/&gt;</span>
<span class="nt">&lt;property</span> <span class="na">name=</span><span class="s">"mergeAuthMethodPattern"</span> <span class="na">value=</span><span class="s">""</span> <span class="nt">/&gt;</span>
<span class="nt">&lt;property</span> <span class="na">name=</span><span class="s">"mergeAuthMethodTypeParamIndex"</span> <span class="na">value=</span><span class="s">"0"</span> <span class="nt">/&gt;</span>
<span class="nt">&lt;property</span> <span class="na">name=</span><span class="s">"updateAuthMethodPattern"</span> <span class="na">value=</span><span class="s">""</span> <span class="nt">/&gt;</span>
<span class="nt">&lt;property</span> <span class="na">name=</span><span class="s">"updateAuthMethodTypeParamIndex"</span> <span class="na">value=</span><span class="s">"0"</span> <span class="nt">/&gt;</span>
<span class="nt">&lt;property</span> <span class="na">name=</span><span class="s">"createAuthMethodPattern"</span> <span class="na">value=</span><span class="s">""</span> <span class="nt">/&gt;</span>
<span class="nt">&lt;property</span> <span class="na">name=</span><span class="s">"createAuthMethodTypeParamIndex"</span> <span class="na">value=</span><span class="s">"0"</span> <span class="nt">/&gt;</span>
<span class="nt">&lt;property</span> <span class="na">name=</span><span class="s">"deleteAuthMethodPattern"</span> <span class="na">value=</span><span class="s">""</span> <span class="nt">/&gt;</span>
<span class="nt">&lt;property</span> <span class="na">name=</span><span class="s">"deleteAuthMethodTypeParamIndex"</span> <span class="na">value=</span><span class="s">"0"</span> <span class="nt">/&gt;</span>
<span class="nt">&lt;property</span> <span class="na">name=</span><span class="s">"undeleteAuthMethodPattern"</span> <span class="na">value=</span><span class="s">""</span> <span class="nt">/&gt;</span>
<span class="nt">&lt;property</span> <span class="na">name=</span><span class="s">"undeleteAuthMethodTypeParamIndex"</span> <span class="na">value=</span><span class="s">"0"</span> <span class="nt">/&gt;</span>
<span class="nt">&lt;/properties&gt;</span>
<span class="nt">&lt;/rule&gt;</span>
</code></pre></div></div>
<h2 id="apexdangerousmethods">ApexDangerousMethods</h2>
<p><strong>Since:</strong> PMD 5.5.3</p>
<p><strong>Priority:</strong> Medium (3)</p>
<p>Checks against calling dangerous methods.</p>
<p>For the time being, it reports:</p>
<ul>
<li>Against <code class="language-plaintext highlighter-rouge">FinancialForce</code>s <code class="language-plaintext highlighter-rouge">Configuration.disableTriggerCRUDSecurity()</code>. Disabling CRUD security
opens the door to several attacks and requires manual validation, which is unreliable.</li>
<li>Calling <code class="language-plaintext highlighter-rouge">System.debug</code> passing sensitive data as parameter, which could lead to exposure
of private data.</li>
</ul>
<p><strong>This rule is defined by the following Java class:</strong> <a href="https://github.com/pmd/pmd/blob/master/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexDangerousMethodsRule.java">net.sourceforge.pmd.lang.apex.rule.security.ApexDangerousMethodsRule</a></p>
<p><strong>Example(s):</strong></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">Foo</span> <span class="o">{</span>
<span class="kd">public</span> <span class="nf">Foo</span><span class="o">()</span> <span class="o">{</span>
<span class="nc">Configuration</span><span class="o">.</span><span class="na">disableTriggerCRUDSecurity</span><span class="o">();</span>
<span class="o">}</span>
<span class="o">}</span>
</code></pre></div></div>
<p><strong>Use this rule by referencing it:</strong></p>
<div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt">&lt;rule</span> <span class="na">ref=</span><span class="s">"category/apex/security.xml/ApexDangerousMethods"</span> <span class="nt">/&gt;</span>
</code></pre></div></div>
<h2 id="apexinsecureendpoint">ApexInsecureEndpoint</h2>
<p><strong>Since:</strong> PMD 5.5.3</p>
<p><strong>Priority:</strong> Medium (3)</p>
<p>Checks against accessing endpoints under plain <strong>http</strong>. You should always use
<strong>https</strong> for security.</p>
<p><strong>This rule is defined by the following Java class:</strong> <a href="https://github.com/pmd/pmd/blob/master/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexInsecureEndpointRule.java">net.sourceforge.pmd.lang.apex.rule.security.ApexInsecureEndpointRule</a></p>
<p><strong>Example(s):</strong></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">public</span> <span class="n">without</span> <span class="n">sharing</span> <span class="kd">class</span> <span class="nc">Foo</span> <span class="o">{</span>
<span class="kt">void</span> <span class="nf">foo</span><span class="o">()</span> <span class="o">{</span>
<span class="nc">HttpRequest</span> <span class="n">req</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">HttpRequest</span><span class="o">();</span>
<span class="n">req</span><span class="o">.</span><span class="na">setEndpoint</span><span class="o">(</span><span class="err">'</span><span class="nl">http:</span><span class="c1">//localhost:com');</span>
<span class="o">}</span>
<span class="o">}</span>
</code></pre></div></div>
<p><strong>Use this rule by referencing it:</strong></p>
<div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt">&lt;rule</span> <span class="na">ref=</span><span class="s">"category/apex/security.xml/ApexInsecureEndpoint"</span> <span class="nt">/&gt;</span>
</code></pre></div></div>
<h2 id="apexopenredirect">ApexOpenRedirect</h2>
<p><strong>Since:</strong> PMD 5.5.3</p>
<p><strong>Priority:</strong> Medium (3)</p>
<p>Checks against redirects to user-controlled locations. This prevents attackers from
redirecting users to phishing sites.</p>
<p><strong>This rule is defined by the following Java class:</strong> <a href="https://github.com/pmd/pmd/blob/master/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexOpenRedirectRule.java">net.sourceforge.pmd.lang.apex.rule.security.ApexOpenRedirectRule</a></p>
<p><strong>Example(s):</strong></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">public</span> <span class="n">without</span> <span class="n">sharing</span> <span class="kd">class</span> <span class="nc">Foo</span> <span class="o">{</span>
<span class="nc">String</span> <span class="n">unsafeLocation</span> <span class="o">=</span> <span class="nc">ApexPage</span><span class="o">.</span><span class="na">getCurrentPage</span><span class="o">().</span><span class="na">getParameters</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="err">'</span><span class="n">url_param</span><span class="err">'</span><span class="o">);</span>
<span class="nc">PageReference</span> <span class="nf">page</span><span class="o">()</span> <span class="o">{</span>
<span class="k">return</span> <span class="k">new</span> <span class="nf">PageReference</span><span class="o">(</span><span class="n">unsafeLocation</span><span class="o">);</span>
<span class="o">}</span>
<span class="o">}</span>
</code></pre></div></div>
<p><strong>Use this rule by referencing it:</strong></p>
<div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt">&lt;rule</span> <span class="na">ref=</span><span class="s">"category/apex/security.xml/ApexOpenRedirect"</span> <span class="nt">/&gt;</span>
</code></pre></div></div>
<h2 id="apexsharingviolations">ApexSharingViolations</h2>
<p><strong>Since:</strong> PMD 5.5.3</p>
<p><strong>Priority:</strong> Medium (3)</p>
<p>Detect classes declared without explicit sharing mode if DML methods are used. This
forces the developer to take access restrictions into account before modifying objects.</p>
<p><strong>This rule is defined by the following Java class:</strong> <a href="https://github.com/pmd/pmd/blob/master/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexSharingViolationsRule.java">net.sourceforge.pmd.lang.apex.rule.security.ApexSharingViolationsRule</a></p>
<p><strong>Example(s):</strong></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">public</span> <span class="n">without</span> <span class="n">sharing</span> <span class="kd">class</span> <span class="nc">Foo</span> <span class="o">{</span>
<span class="c1">// DML operation here</span>
<span class="o">}</span>
</code></pre></div></div>
<p><strong>Use this rule by referencing it:</strong></p>
<div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt">&lt;rule</span> <span class="na">ref=</span><span class="s">"category/apex/security.xml/ApexSharingViolations"</span> <span class="nt">/&gt;</span>
</code></pre></div></div>
<h2 id="apexsoqlinjection">ApexSOQLInjection</h2>
<p><strong>Since:</strong> PMD 5.5.3</p>
<p><strong>Priority:</strong> Medium (3)</p>
<p>Detects the usage of untrusted / unescaped variables in DML queries.</p>
<p><strong>This rule is defined by the following Java class:</strong> <a href="https://github.com/pmd/pmd/blob/master/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexSOQLInjectionRule.java">net.sourceforge.pmd.lang.apex.rule.security.ApexSOQLInjectionRule</a></p>
<p><strong>Example(s):</strong></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">Foo</span> <span class="o">{</span>
<span class="kd">public</span> <span class="kt">void</span> <span class="nf">test1</span><span class="o">(</span><span class="nc">String</span> <span class="n">t1</span><span class="o">)</span> <span class="o">{</span>
<span class="nc">Database</span><span class="o">.</span><span class="na">query</span><span class="o">(</span><span class="err">'</span><span class="no">SELECT</span> <span class="nc">Id</span> <span class="no">FROM</span> <span class="nc">Account</span><span class="err">'</span> <span class="o">+</span> <span class="n">t1</span><span class="o">);</span>
<span class="o">}</span>
<span class="o">}</span>
</code></pre></div></div>
<p><strong>Use this rule by referencing it:</strong></p>
<div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt">&lt;rule</span> <span class="na">ref=</span><span class="s">"category/apex/security.xml/ApexSOQLInjection"</span> <span class="nt">/&gt;</span>
</code></pre></div></div>
<h2 id="apexsuggestusingnamedcred">ApexSuggestUsingNamedCred</h2>
<p><strong>Since:</strong> PMD 5.5.3</p>
<p><strong>Priority:</strong> Medium (3)</p>
<p>Detects hardcoded credentials used in requests to an endpoint.</p>
<p>You should refrain from hardcoding credentials:</p>
<ul>
<li>They are hard to mantain by being mixed in application code</li>
<li>Particularly hard to update them when used from different classes</li>
<li>Granting a developer access to the codebase means granting knowledge
of credentials, keeping a two-level access is not possible.</li>
<li>Using different credentials for different environments is troublesome
and error-prone.</li>
</ul>
<p>Instead, you should use <em>Named Credentials</em> and a callout endpoint.</p>
<p>For more information, you can check <a href="https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_callouts_named_credentials.htm">this</a></p>
<p><strong>This rule is defined by the following Java class:</strong> <a href="https://github.com/pmd/pmd/blob/master/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexSuggestUsingNamedCredRule.java">net.sourceforge.pmd.lang.apex.rule.security.ApexSuggestUsingNamedCredRule</a></p>
<p><strong>Example(s):</strong></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">Foo</span> <span class="o">{</span>
<span class="kd">public</span> <span class="kt">void</span> <span class="nf">foo</span><span class="o">(</span><span class="nc">String</span> <span class="n">username</span><span class="o">,</span> <span class="nc">String</span> <span class="n">password</span><span class="o">)</span> <span class="o">{</span>
<span class="nc">Blob</span> <span class="n">headerValue</span> <span class="o">=</span> <span class="nc">Blob</span><span class="o">.</span><span class="na">valueOf</span><span class="o">(</span><span class="n">username</span> <span class="o">+</span> <span class="sc">':'</span> <span class="o">+</span> <span class="n">password</span><span class="o">);</span>
<span class="nc">String</span> <span class="n">authorizationHeader</span> <span class="o">=</span> <span class="err">'</span><span class="no">BASIC</span> <span class="err">'</span> <span class="o">+</span> <span class="nc">EncodingUtil</span><span class="o">.</span><span class="na">base64Encode</span><span class="o">(</span><span class="n">headerValue</span><span class="o">);</span>
<span class="n">req</span><span class="o">.</span><span class="na">setHeader</span><span class="o">(</span><span class="err">'</span><span class="nc">Authorization</span><span class="err">'</span><span class="o">,</span> <span class="n">authorizationHeader</span><span class="o">);</span>
<span class="o">}</span>
<span class="o">}</span>
</code></pre></div></div>
<p><strong>Use this rule by referencing it:</strong></p>
<div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt">&lt;rule</span> <span class="na">ref=</span><span class="s">"category/apex/security.xml/ApexSuggestUsingNamedCred"</span> <span class="nt">/&gt;</span>
</code></pre></div></div>
<h2 id="apexxssfromescapefalse">ApexXSSFromEscapeFalse</h2>
<p><strong>Since:</strong> PMD 5.5.3</p>
<p><strong>Priority:</strong> Medium (3)</p>
<p>Reports on calls to <code class="language-plaintext highlighter-rouge">addError</code> with disabled escaping. The message passed to <code class="language-plaintext highlighter-rouge">addError</code>
will be displayed directly to the user in the UI, making it prime ground for XSS
attacks if unescaped.</p>
<p><strong>This rule is defined by the following Java class:</strong> <a href="https://github.com/pmd/pmd/blob/master/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexXSSFromEscapeFalseRule.java">net.sourceforge.pmd.lang.apex.rule.security.ApexXSSFromEscapeFalseRule</a></p>
<p><strong>Example(s):</strong></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">public</span> <span class="n">without</span> <span class="n">sharing</span> <span class="kd">class</span> <span class="nc">Foo</span> <span class="o">{</span>
<span class="nc">Trigger</span><span class="o">.</span><span class="na">new</span><span class="o">[</span><span class="mi">0</span><span class="o">].</span><span class="na">addError</span><span class="o">(</span><span class="n">vulnerableHTMLGoesHere</span><span class="o">,</span> <span class="kc">false</span><span class="o">);</span>
<span class="o">}</span>
</code></pre></div></div>
<p><strong>Use this rule by referencing it:</strong></p>
<div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt">&lt;rule</span> <span class="na">ref=</span><span class="s">"category/apex/security.xml/ApexXSSFromEscapeFalse"</span> <span class="nt">/&gt;</span>
</code></pre></div></div>
<h2 id="apexxssfromurlparam">ApexXSSFromURLParam</h2>
<p><strong>Since:</strong> PMD 5.5.3</p>
<p><strong>Priority:</strong> Medium (3)</p>
<p>Makes sure that all values obtained from URL parameters are properly escaped / sanitized
to avoid XSS attacks.</p>
<p><strong>This rule is defined by the following Java class:</strong> <a href="https://github.com/pmd/pmd/blob/master/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexXSSFromURLParamRule.java">net.sourceforge.pmd.lang.apex.rule.security.ApexXSSFromURLParamRule</a></p>
<p><strong>Example(s):</strong></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">public</span> <span class="n">without</span> <span class="n">sharing</span> <span class="kd">class</span> <span class="nc">Foo</span> <span class="o">{</span>
<span class="nc">String</span> <span class="n">unescapedstring</span> <span class="o">=</span> <span class="nc">ApexPage</span><span class="o">.</span><span class="na">getCurrentPage</span><span class="o">().</span><span class="na">getParameters</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="err">'</span><span class="n">url_param</span><span class="err">'</span><span class="o">);</span>
<span class="nc">String</span> <span class="n">usedLater</span> <span class="o">=</span> <span class="n">unescapedstring</span><span class="o">;</span>
<span class="o">}</span>
</code></pre></div></div>
<p><strong>Use this rule by referencing it:</strong></p>
<div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt">&lt;rule</span> <span class="na">ref=</span><span class="s">"category/apex/security.xml/ApexXSSFromURLParam"</span> <span class="nt">/&gt;</span>
</code></pre></div></div>
<div class="tags">
</div>
</div>
<footer>
<hr />
<div>
This documentation is written in markdown. <br />
If there is something missing or can be improved, edit this page on
github and create a PR:
<a
target="_blank"
href="https://github.com/pmd/pmd/blob/master/docs/../pmd-apex/src/main/resources/category/apex/security.xml"
role="button"
><i class="fab fa-github fa-lg"></i> Edit on GitHub</a
>
</div>
<hr />
<div class="row">
<div class="col-lg-12 footer">
&copy;2024 PMD Open Source Project. All rights
reserved. <br />
Site last generated: Feb 29, 2024 <br />
<p>
<img src="images/logo/pmd-logo-70px.png" alt="PMD
logo"/>
</p>
</div>
</div>
</footer>
</div>
<!-- /.row -->
</div>
<!-- /.container -->
</div>
<!-- Sticky TOC column -->
<div class="toc-col">
<div id="toc"></div>
</div>
<!-- /.toc-container-wrapper -->
</div>
</div>
<script type="application/javascript" src="assets/jquery-3.5.1/jquery-3.5.1.min.js"></script>
<script type="application/javascript" src="assets/anchorjs-4.2.2/anchor.min.js"></script>
<script type="application/javascript" src="assets/navgoco-0.2.1/src/jquery.navgoco.min.js"></script>
<script type="application/javascript" src="assets/bootstrap-4.5.2-dist/js/bootstrap.bundle.min.js"></script>
<script type="application/javascript" src="assets/Simple-Jekyll-Search-1.0.8/dest/jekyll-search.js"></script>
<script type="application/javascript" src="assets/jekyll-table-of-contents/toc.js"></script>
<script type="application/javascript" src="js/tabstate.js"></script>
<script type="application/javascript" src="js/customscripts.js"></script>
</body>
</html>