2020-11-14 09:20:07 +00:00
<!DOCTYPE html>
< html >
< head >
< meta charset = "utf-8" >
< meta http-equiv = "X-UA-Compatible" content = "IE=edge" >
< meta name = "viewport" content = "width=device-width, initial-scale=1" >
< meta name = "description" content = "Rules that flag potential security flaws." >
< meta name = "keywords" content = " Security, ApexBadCrypto, ApexCRUDViolation, ApexCSRF, ApexDangerousMethods, ApexInsecureEndpoint, ApexOpenRedirect, ApexSharingViolations, ApexSOQLInjection, ApexSuggestUsingNamedCred, ApexXSSFromEscapeFalse, ApexXSSFromURLParam" >
< title > Security | PMD Source Code Analyzer< / title >
< link rel = "stylesheet" href = "css/syntax.css" >
< link rel = "stylesheet" type = "text/css" href = "https://maxcdn.bootstrapcdn.com/font-awesome/4.5.0/css/font-awesome.min.css" >
<!-- <link rel="stylesheet" type="text/css" href="css/bootstrap.min.css"> -->
< link rel = "stylesheet" href = "css/modern-business.css" >
< link rel = "stylesheet" href = "css/lavish-bootstrap.css" >
< link rel = "stylesheet" href = "css/customstyles.css" >
< link rel = "stylesheet" href = "css/theme-blue.css" >
< link rel = "stylesheet" href = "css/pmd-customstyles.css" >
< script src = "https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.4/jquery.min.js" > < / script >
< script src = "https://cdnjs.cloudflare.com/ajax/libs/jquery-cookie/1.4.1/jquery.cookie.min.js" > < / script >
< script src = "js/jquery.navgoco.min.js" > < / script >
< script src = "https://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/js/bootstrap.min.js" > < / script >
< script src = "https://cdnjs.cloudflare.com/ajax/libs/anchor-js/2.0.0/anchor.min.js" > < / script >
< script src = "js/toc.js" > < / script >
< script src = "js/customscripts.js" > < / script >
< link rel = "shortcut icon" href = "images/favicon.ico" type = "image/x-icon" >
< link rel = "icon" href = "images/favicon.ico" type = "image/x-icon" >
<!-- HTML5 Shim and Respond.js IE8 support of HTML5 elements and media queries -->
<!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
<!-- [if lt IE 9]>
< script src = "https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js" > < / script >
< script src = "https://oss.maxcdn.com/libs/respond.js/1.4.2/respond.min.js" > < / script >
<![endif]-->
< link rel = "alternate" type = "application/rss+xml" title = "" href = "https://pmd.github.io/pmd/feed.xml" >
< script >
$(document).ready(function() {
// Initialize navgoco with default options
$("#mysidebar").navgoco({
caretHtml: '',
accordion: true,
openClass: 'active', // open
save: false, // leave false or nav highlighting doesn't work right
cookie: {
name: 'navgoco',
expires: false,
path: '/'
},
slide: {
duration: 400,
easing: 'swing'
}
});
$("#collapseAll").click(function(e) {
e.preventDefault();
$("#mysidebar").navgoco('toggle', false);
});
$("#expandAll").click(function(e) {
e.preventDefault();
$("#mysidebar").navgoco('toggle', true);
});
});
< / script >
< script >
$(function () {
$('[data-toggle="tooltip"]').tooltip()
})
< / script >
< script >
$(document).ready(function() {
$("#tg-sb-link").click(function() {
$("#tg-sb-sidebar").toggle();
$("#tg-sb-content").toggleClass('col-md-9');
$("#tg-sb-content").toggleClass('col-md-12');
$("#tg-sb-icon").toggleClass('fa-toggle-on');
$("#tg-sb-icon").toggleClass('fa-toggle-off');
});
});
< / script >
< / head >
< body >
<!-- Content is offset by the height of the topnav bar. -->
<!-- There's already a padding - top rule in modern - business.css, but it apparently doesn't work on Firefox 60 and Chrome 67 -->
< div id = "topbar-content-offset" >
<!-- Navigation -->
< nav class = "navbar navbar-inverse navbar-fixed-top" >
< div class = "container topnavlinks" >
< div class = "navbar-header" >
< button type = "button" class = "navbar-toggle" data-toggle = "collapse" data-target = "#bs-example-navbar-collapse-1" >
< span class = "sr-only" > Toggle navigation< / span >
< span class = "icon-bar" > < / span >
< span class = "icon-bar" > < / span >
< span class = "icon-bar" > < / span >
< / button >
< a class = "fa fa-home fa-lg navbar-brand" href = "index.html" > < span class = "projectTitle" > PMD Source Code Analyzer Project< / span > < / a >
< / div >
< div class = "collapse navbar-collapse" id = "bs-example-navbar-collapse-1" >
< ul class = "nav navbar-nav navbar-right" >
<!-- toggle sidebar button -->
< li > < a id = "tg-sb-link" href = "#" > < i id = "tg-sb-icon" class = "fa fa-toggle-on" > < / i > Nav< / a > < / li >
<!-- entries without drop - downs appear here -->
< li > < a href = "https://github.com/pmd/pmd/releases/latest" target = "_blank" > Download< / a > < / li >
< li > < a href = "https://github.com/pmd/pmd" target = "_blank" > Fork us on github< / a > < / li >
<!-- entries with drop - downs appear here -->
<!-- conditional logic to control which topnav appears for the audience defined in the configuration file. -->
<!-- comment out this block if you want to hide search -->
< li >
<!-- start search -->
< div id = "search-demo-container" >
< input type = "text" id = "search-input" placeholder = "search..." >
< ul id = "results-container" > < / ul >
< / div >
< script src = "js/jekyll-search.js" type = "text/javascript" > < / script >
< script type = "text/javascript" >
SimpleJekyllSearch.init({
searchInput: document.getElementById('search-input'),
resultsContainer: document.getElementById('results-container'),
dataSource: 'search.json',
searchResultTemplate: '< li > < a href = "{url}" title = "Security" > {title}< / a > < / li > ',
noResultsText: 'No results found.',
limit: 10,
fuzzy: true,
})
< / script >
<!-- end search -->
< / li >
< / ul >
< / div >
< / div >
<!-- /.container -->
< / nav >
<!-- Page Content -->
2022-02-25 09:51:51 +00:00
< div class = "container-toc-wrapper" >
< div class = "container" >
< div class = "col-lg-12" > < / div >
<!-- Content Row -->
< div class = "row" >
2020-11-14 09:20:07 +00:00
2022-02-25 09:51:51 +00:00
<!-- Sidebar Column -->
< div class = "col-md-3" id = "tg-sb-sidebar" >
2020-11-14 09:20:07 +00:00
< ul id = "mysidebar" class = "nav" >
2023-01-28 16:26:52 +00:00
< li class = "sidebarTitle" > PMD 6.55.0-SNAPSHOT< / li >
< div class = "sidebarTitleDate" > Release date: 25-February-2023< / div >
2020-11-14 09:20:07 +00:00
< li >
< a href = "#" > About< / a >
< ul >
< li > < a href = "index.html" > Home< / a > < / li >
< li > < a href = "pmd_release_notes.html" > Release notes< / a > < / li >
< li > < a href = "pmd_next_major_development.html" > PMD 7.0.0 development< / a > < / li >
< li > < a href = "pmd_about_help.html" > Getting help< / a > < / li >
< / ul >
< / li >
< li >
< a href = "#" > User Documentation< / a >
< ul >
< li > < a href = "pmd_userdocs_installation.html" > Installation and basic CLI usage< / a > < / li >
< li > < a href = "pmd_userdocs_making_rulesets.html" > Making rulesets< / a > < / li >
< li > < a href = "pmd_userdocs_configuring_rules.html" > Configuring rules< / a > < / li >
< li > < a href = "pmd_userdocs_best_practices.html" > Best practices< / a > < / li >
< li > < a href = "pmd_userdocs_suppressing_warnings.html" > Suppressing warnings< / a > < / li >
< li > < a href = "pmd_userdocs_incremental_analysis.html" > Incremental analysis< / a > < / li >
< li > < a href = "pmd_userdocs_cli_reference.html" > PMD CLI reference< / a > < / li >
< li > < a href = "pmd_userdocs_report_formats.html" > PMD Report formats< / a > < / li >
2022-09-29 15:04:50 +00:00
< li > < a href = "pmd_userdocs_3rdpartyrulesets.html" > 3rd party rulesets< / a > < / li >
2020-11-14 09:20:07 +00:00
< li class = "subfolders" >
< a href = "#" > CPD reference< / a >
< ul >
< li > < a href = "pmd_userdocs_cpd.html" > Copy-paste detection< / a > < / li >
< li > < a href = "pmd_userdocs_cpd_report_formats.html" > CPD Report formats< / a > < / li >
< / ul >
< / li >
< li class = "subfolders" >
< a href = "#" > Extending PMD< / a >
< ul >
< li > < a href = "pmd_userdocs_extending_writing_rules_intro.html" > Introduction to writing rules< / a > < / li >
< li > < a href = "pmd_userdocs_extending_your_first_rule.html" > Your first rule< / a > < / li >
< li > < a href = "pmd_userdocs_extending_writing_xpath_rules.html" > XPath rules< / a > < / li >
< li > < a href = "pmd_userdocs_extending_writing_java_rules.html" > Java rules< / a > < / li >
< li > < a href = "pmd_userdocs_extending_designer_reference.html" > Rule designer reference< / a > < / li >
< li > < a href = "pmd_userdocs_extending_defining_properties.html" > Defining rule properties< / a > < / li >
< li > < a href = "pmd_userdocs_extending_metrics_howto.html" > Using and defining code metrics< / a > < / li >
< li > < a href = "pmd_userdocs_extending_rule_guidelines.html" > Rule guidelines< / a > < / li >
< li > < a href = "pmd_userdocs_extending_testing.html" > Testing your rules< / a > < / li >
< / ul >
< / li >
< li class = "subfolders" >
< a href = "#" > Tools / Integrations< / a >
< ul >
< li > < a href = "pmd_userdocs_tools_maven.html" > Maven PMD Plugin< / a > < / li >
< li > < a href = "pmd_userdocs_tools_gradle.html" > Gradle< / a > < / li >
< li > < a href = "pmd_userdocs_tools_ant.html" > Ant< / a > < / li >
< li > < a href = "pmd_userdocs_tools_java_api.html" > PMD Java API< / a > < / li >
< li > < a href = "pmd_userdocs_tools_ci.html" > CI integrations< / a > < / li >
< li > < a href = "pmd_userdocs_tools.html" > Other Tools / Integrations< / a > < / li >
< / ul >
< / li >
< / ul >
< / li >
< li >
< a href = "#" > Rule Reference< / a >
< ul >
< li class = "subfolders" >
< a href = "#" > Apex Rules< / a >
< ul >
< li > < a href = "pmd_rules_apex.html" > Index< / a > < / li >
< li > < a href = "pmd_rules_apex_bestpractices.html" > Best Practices< / a > < / li >
< li > < a href = "pmd_rules_apex_codestyle.html" > Code Style< / a > < / li >
< li > < a href = "pmd_rules_apex_design.html" > Design< / a > < / li >
< li > < a href = "pmd_rules_apex_documentation.html" > Documentation< / a > < / li >
< li > < a href = "pmd_rules_apex_errorprone.html" > Error Prone< / a > < / li >
< li > < a href = "pmd_rules_apex_performance.html" > Performance< / a > < / li >
< li class = "active" > < a href = "pmd_rules_apex_security.html" > Security< / a > < / li >
< / ul >
< / li >
< li class = "subfolders" >
< a href = "#" > Ecmascript Rules< / a >
< ul >
< li > < a href = "pmd_rules_ecmascript.html" > Index< / a > < / li >
< li > < a href = "pmd_rules_ecmascript_bestpractices.html" > Best Practices< / a > < / li >
< li > < a href = "pmd_rules_ecmascript_codestyle.html" > Code Style< / a > < / li >
< li > < a href = "pmd_rules_ecmascript_errorprone.html" > Error Prone< / a > < / li >
< / ul >
< / li >
2022-04-28 13:34:56 +00:00
< li class = "subfolders" >
< a href = "#" > HTML Rules< / a >
< ul >
< li > < a href = "pmd_rules_html.html" > Index< / a > < / li >
< li > < a href = "pmd_rules_html_bestpractices.html" > Best Practices< / a > < / li >
< / ul >
< / li >
2020-11-14 09:20:07 +00:00
< li class = "subfolders" >
< a href = "#" > Java Rules< / a >
< ul >
< li > < a href = "pmd_rules_java.html" > Index< / a > < / li >
< li > < a href = "pmd_rules_java_bestpractices.html" > Best Practices< / a > < / li >
< li > < a href = "pmd_rules_java_codestyle.html" > Code Style< / a > < / li >
< li > < a href = "pmd_rules_java_design.html" > Design< / a > < / li >
< li > < a href = "pmd_rules_java_documentation.html" > Documentation< / a > < / li >
< li > < a href = "pmd_rules_java_errorprone.html" > Error Prone< / a > < / li >
< li > < a href = "pmd_rules_java_multithreading.html" > Multithreading< / a > < / li >
< li > < a href = "pmd_rules_java_performance.html" > Performance< / a > < / li >
< li > < a href = "pmd_rules_java_security.html" > Security< / a > < / li >
< / ul >
< / li >
< li class = "subfolders" >
< a href = "#" > Java Server Pages Rules< / a >
< ul >
< li > < a href = "pmd_rules_jsp.html" > Index< / a > < / li >
< li > < a href = "pmd_rules_jsp_bestpractices.html" > Best Practices< / a > < / li >
< li > < a href = "pmd_rules_jsp_codestyle.html" > Code Style< / a > < / li >
< li > < a href = "pmd_rules_jsp_design.html" > Design< / a > < / li >
< li > < a href = "pmd_rules_jsp_errorprone.html" > Error Prone< / a > < / li >
< li > < a href = "pmd_rules_jsp_security.html" > Security< / a > < / li >
< / ul >
< / li >
< li class = "subfolders" >
< a href = "#" > Maven POM Rules< / a >
< ul >
< li > < a href = "pmd_rules_pom.html" > Index< / a > < / li >
< li > < a href = "pmd_rules_pom_errorprone.html" > Error Prone< / a > < / li >
< / ul >
< / li >
< li class = "subfolders" >
< a href = "#" > Modelica Rules< / a >
< ul >
< li > < a href = "pmd_rules_modelica.html" > Index< / a > < / li >
< li > < a href = "pmd_rules_modelica_bestpractices.html" > Best Practices< / a > < / li >
< / ul >
< / li >
< li class = "subfolders" >
< a href = "#" > PLSQL Rules< / a >
< ul >
< li > < a href = "pmd_rules_plsql.html" > Index< / a > < / li >
< li > < a href = "pmd_rules_plsql_bestpractices.html" > Best Practices< / a > < / li >
< li > < a href = "pmd_rules_plsql_codestyle.html" > Code Style< / a > < / li >
< li > < a href = "pmd_rules_plsql_design.html" > Design< / a > < / li >
< li > < a href = "pmd_rules_plsql_errorprone.html" > Error Prone< / a > < / li >
< / ul >
< / li >
< li class = "subfolders" >
< a href = "#" > Salesforce VisualForce Rules< / a >
< ul >
< li > < a href = "pmd_rules_vf.html" > Index< / a > < / li >
< li > < a href = "pmd_rules_vf_security.html" > Security< / a > < / li >
< / ul >
< / li >
2022-11-18 15:25:16 +00:00
< li class = "subfolders" >
< a href = "#" > Scala Rules< / a >
< ul >
< li > < a href = "pmd_rules_scala.html" > Index< / a > < / li >
< / ul >
< / li >
2020-11-14 09:20:07 +00:00
< li class = "subfolders" >
< a href = "#" > VM Rules< / a >
< ul >
< li > < a href = "pmd_rules_vm.html" > Index< / a > < / li >
< li > < a href = "pmd_rules_vm_bestpractices.html" > Best Practices< / a > < / li >
< li > < a href = "pmd_rules_vm_design.html" > Design< / a > < / li >
< li > < a href = "pmd_rules_vm_errorprone.html" > Error Prone< / a > < / li >
< / ul >
< / li >
2022-11-18 15:25:16 +00:00
< li class = "subfolders" >
< a href = "#" > WSDL Rules< / a >
< ul >
< li > < a href = "pmd_rules_wsdl.html" > Index< / a > < / li >
< / ul >
< / li >
2020-11-14 09:20:07 +00:00
< li class = "subfolders" >
< a href = "#" > XML Rules< / a >
< ul >
< li > < a href = "pmd_rules_xml.html" > Index< / a > < / li >
< li > < a href = "pmd_rules_xml_errorprone.html" > Error Prone< / a > < / li >
< / ul >
< / li >
< li class = "subfolders" >
< a href = "#" > XSL Rules< / a >
< ul >
< li > < a href = "pmd_rules_xsl.html" > Index< / a > < / li >
< li > < a href = "pmd_rules_xsl_codestyle.html" > Code Style< / a > < / li >
< li > < a href = "pmd_rules_xsl_performance.html" > Performance< / a > < / li >
< / ul >
< / li >
< / ul >
< / li >
< li >
< a href = "#" > Language Specific Documentation< / a >
< ul >
< li > < a href = "pmd_languages_jsp.html" > JSP Support< / a > < / li >
2022-03-27 15:04:13 +00:00
< li class = "subfolders" >
< a href = "#" > Java Support< / a >
< ul >
< li > < a href = "pmd_languages_java.html" > Java Versions< / a > < / li >
< li > < a href = "pmd_java_metrics_index.html" > Java Code Metrics< / a > < / li >
< / ul >
< / li >
2020-11-14 09:20:07 +00:00
< li > < a href = "pmd_apex_metrics_index.html" > Apex code metrics< / a > < / li >
2021-03-26 08:22:23 +00:00
< li > < a href = "pmd_languages_plsql.html" > PLSQL< / a > < / li >
2021-10-29 17:50:40 +00:00
< li > < a href = "pmd_languages_visualforce.html" > Visualforce< / a > < / li >
2022-03-25 07:44:53 +00:00
< li > < a href = "pmd_languages_xml.html" > XML and XML dialects< / a > < / li >
2022-04-28 13:34:56 +00:00
< li > < a href = "pmd_languages_html.html" > HTML< / a > < / li >
2022-07-01 07:55:16 +00:00
< li > < a href = "pmd_languages_gherkin.html" > Gherkin< / a > < / li >
2020-11-14 09:20:07 +00:00
< / ul >
< / li >
< li >
< a href = "#" > Developer Documentation< / a >
< ul >
< li > < a href = "pmd_devdocs_development.html" > Developer resources< / a > < / li >
< li > < a href = "pmd_devdocs_building.html" > Building PMD from source< / a > < / li >
< li > < a href = "https://github.com/pmd/pmd/blob/master/CONTRIBUTING.md" target = "_blank" > Contributing< / a > < / li >
< li > < a href = "pmd_devdocs_writing_documentation.html" > Writing documentation< / a > < / li >
< li > < a href = "pmd_devdocs_roadmap.html" > Roadmap< / a > < / li >
< li > < a href = "pmd_devdocs_how_pmd_works.html" > How PMD works< / a > < / li >
< li > < a href = "pmd_devdocs_pmdtester.html" > Pmdtester< / a > < / li >
< li > < a href = "pmd_devdocs_rule_deprecation_policy.html" > Rule Deprecation Policy< / a > < / li >
< li class = "subfolders" >
< a href = "#" > Major contributions< / a >
< ul >
2021-08-27 14:58:36 +00:00
< li > < a href = "pmd_devdocs_major_rule_guidelines.html" > Rule Guidelines< / a > < / li >
2020-11-14 09:20:07 +00:00
< li > < a href = "pmd_devdocs_major_adding_new_language.html" > Adding a new language< / a > < / li >
< li > < a href = "pmd_devdocs_major_adding_new_cpd_language.html" > Adding a new CPD language< / a > < / li >
< li > < a href = "pmd_devdocs_major_adding_new_metrics_framework.html" > Adding metrics support to a language< / a > < / li >
< / ul >
< / li >
< li class = "subfolders" >
< a href = "#" > Experimental features< / a >
< ul >
< li > < a href = "pmd_devdocs_experimental_ast_dump.html" > Creating (XML) dump of the AST< / a > < / li >
< / ul >
< / li >
< / ul >
< / li >
< li >
< a href = "#" > Project documentation< / a >
< ul >
< li class = "subfolders" >
< a href = "#" > Trivia about PMD< / a >
< ul >
< li > < a href = "pmd_projectdocs_trivia_news.html" > PMD in the press< / a > < / li >
< li > < a href = "pmd_projectdocs_trivia_products.html" > Products & books related to PMD< / a > < / li >
< li > < a href = "pmd_projectdocs_trivia_similarprojects.html" > Similar projects< / a > < / li >
< li > < a href = "pmd_projectdocs_trivia_meaning.html" > What does 'PMD' mean?< / a > < / li >
< / ul >
< / li >
< li > < a href = "pmd_projectdocs_faq.html" > FAQ< / a > < / li >
< li > < a href = "license.html" > License< / a > < / li >
< li > < a href = "pmd_projectdocs_credits.html" > Credits< / a > < / li >
< li > < a href = "pmd_release_notes_old.html" > Old release notes< / a > < / li >
2022-09-30 10:03:06 +00:00
< li > < a href = "pmd_projectdocs_decisions.html" > Decisions< / a > < / li >
2020-11-14 09:20:07 +00:00
< li class = "subfolders" >
< a href = "#" > Project management< / a >
< ul >
2021-04-23 20:35:51 +00:00
< li > < a href = "pmd_projectdocs_committers_infrastructure.html" > Infrastructure< / a > < / li >
2020-11-14 09:20:07 +00:00
< li > < a href = "pmd_projectdocs_committers_releasing.html" > Release process< / a > < / li >
< li > < a href = "pmd_projectdocs_committers_merging_pull_requests.html" > Merging pull requests< / a > < / li >
< li > < a href = "pmd_projectdocs_committers_main_landing_page.html" > Main Landing page< / a > < / li >
< / ul >
< / li >
< / ul >
< / li >
<!-- if you aren't using the accordion, uncomment this block:
< p class = "external" >
< a href = "#" id = "collapseAll" > Collapse All< / a > | < a href = "#" id = "expandAll" > Expand All< / a >
< / p >
-->
< / ul >
<!-- this highlights the active parent class in the navgoco sidebar. this is critical so that the parent expands when you're viewing a page. This must appear below the sidebar code above. Otherwise, if placed inside customscripts.js, the script runs before the sidebar code runs and the class never gets inserted. -->
< script > $ ( "li.active" ) . parents ( 'li' ) . toggleClass ( "active" ) ; < / script >
2022-02-25 09:51:51 +00:00
< / div >
2020-11-14 09:20:07 +00:00
2022-02-25 09:51:51 +00:00
<!-- Content Column -->
< div class = "col-md-9" id = "tg-sb-content" >
2022-03-24 11:42:13 +00:00
< header >
< div class = "row" >
< div class = "col-lg-12" >
< a href = "./" role = "button"
>< i class = "fa fa-home fa-lg" > < /i
>< / a >
» Security
< a
target="_blank"
href="https://github.com/pmd/pmd/blob/master/docs/../pmd-apex/src/main/resources/category/apex/security.xml"
class="pull-right"
role="button"
>< i class = "fa fa-github fa-lg" > < / i > Edit on GitHub< /a
>
< / div >
< / div >
< hr / >
< / header >
< div class = "post-header" >
2020-11-14 09:20:07 +00:00
< h1 class = "post-title-main" > Security< / h1 >
< / div >
2022-03-24 11:42:13 +00:00
< div class = "post-content" data-github-edit-url = "https://github.com/pmd/pmd/blob/master/docs/../pmd-apex/src/main/resources/category/apex/security.xml" >
2020-11-14 09:20:07 +00:00
< div class = "summary" > Rules that flag potential security flaws.< / div >
2022-02-25 09:51:51 +00:00
< div id = "inline-toc" > <!-- empty, move TOC here when screen size too small --> < / div >
2020-11-14 09:20:07 +00:00
<!-- DO NOT EDIT THIS FILE. This file is generated from file ../pmd - apex/src/main/resources/category/apex/security.xml. -->
< h2 id = "apexbadcrypto" > ApexBadCrypto< / h2 >
< p > < strong > Since:< / strong > PMD 5.5.3< / p >
< p > < strong > Priority:< / strong > Medium (3)< / p >
< p > The rule makes sure you are using randomly generated IVs and keys for < code class = "language-plaintext highlighter-rouge" > Crypto< / code > calls.
Hard-wiring these values greatly compromises the security of encrypted data.< / p >
< p > < strong > This rule is defined by the following Java class:< / strong > < a href = "https://github.com/pmd/pmd/blob/master/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexBadCryptoRule.java" > net.sourceforge.pmd.lang.apex.rule.security.ApexBadCryptoRule< / a > < / p >
< p > < strong > Example(s):< / strong > < / p >
< div class = "language-java highlighter-rouge" > < div class = "highlight" > < pre class = "highlight" > < code > < span class = "kd" > public< / span > < span class = "n" > without< / span > < span class = "n" > sharing< / span > < span class = "kd" > class< / span > < span class = "nc" > Foo< / span > < span class = "o" > {< / span >
< span class = "nc" > Blob< / span > < span class = "n" > hardCodedIV< / span > < span class = "o" > =< / span > < span class = "nc" > Blob< / span > < span class = "o" > .< / span > < span class = "na" > valueOf< / span > < span class = "o" > (< / span > < span class = "err" > '< / span > < span class = "nc" > Hardcoded< / span > < span class = "no" > IV< / span > < span class = "mi" > 123< / span > < span class = "err" > '< / span > < span class = "o" > );< / span >
< span class = "nc" > Blob< / span > < span class = "n" > hardCodedKey< / span > < span class = "o" > =< / span > < span class = "nc" > Blob< / span > < span class = "o" > .< / span > < span class = "na" > valueOf< / span > < span class = "o" > (< / span > < span class = "err" > '< / span > < span class = "mo" > 0000000000000000< / span > < span class = "err" > '< / span > < span class = "o" > );< / span >
< span class = "nc" > Blob< / span > < span class = "n" > data< / span > < span class = "o" > =< / span > < span class = "nc" > Blob< / span > < span class = "o" > .< / span > < span class = "na" > valueOf< / span > < span class = "o" > (< / span > < span class = "err" > '< / span > < span class = "nc" > Data< / span > < span class = "n" > to< / span > < span class = "n" > be< / span > < span class = "n" > encrypted< / span > < span class = "err" > '< / span > < span class = "o" > );< / span >
< span class = "nc" > Blob< / span > < span class = "n" > encrypted< / span > < span class = "o" > =< / span > < span class = "nc" > Crypto< / span > < span class = "o" > .< / span > < span class = "na" > encrypt< / span > < span class = "o" > (< / span > < span class = "err" > '< / span > < span class = "no" > AES128< / span > < span class = "err" > '< / span > < span class = "o" > ,< / span > < span class = "n" > hardCodedKey< / span > < span class = "o" > ,< / span > < span class = "n" > hardCodedIV< / span > < span class = "o" > ,< / span > < span class = "n" > data< / span > < span class = "o" > );< / span >
< span class = "o" > }< / span >
< / code > < / pre > < / div > < / div >
< p > < strong > This rule has the following properties:< / strong > < / p >
< table >
< thead >
< tr >
< th > Name< / th >
< th > Default Value< / th >
< th > Description< / th >
< th > Multivalued< / th >
< / tr >
< / thead >
< tbody >
< tr >
< td > cc_categories< / td >
< td > Security< / td >
< td > < span style = "border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;" > Deprecated< / span > Code Climate Categories< / td >
< td > yes. Delimiter is ‘ ’ < / td >
< / tr >
< tr >
< td > cc_remediation_points_multiplier< / td >
< td > 100< / td >
< td > < span style = "border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;" > Deprecated< / span > Code Climate Remediation Points multiplier< / td >
< td > no< / td >
< / tr >
< tr >
< td > cc_block_highlighting< / td >
< td > false< / td >
< td > < span style = "border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;" > Deprecated< / span > Code Climate Block Highlighting< / td >
< td > no< / td >
< / tr >
< / tbody >
< / table >
< p > < strong > Use this rule with the default properties by just referencing it:< / strong > < / p >
< div class = "language-xml highlighter-rouge" > < div class = "highlight" > < pre class = "highlight" > < code > < span class = "nt" > < rule< / span > < span class = "na" > ref=< / span > < span class = "s" > "category/apex/security.xml/ApexBadCrypto"< / span > < span class = "nt" > /> < / span >
< / code > < / pre > < / div > < / div >
< h2 id = "apexcrudviolation" > ApexCRUDViolation< / h2 >
< p > < strong > Since:< / strong > PMD 5.5.3< / p >
< p > < strong > Priority:< / strong > Medium (3)< / p >
< p > The rule validates you are checking for access permissions before a SOQL/SOSL/DML operation.
2022-12-19 15:49:41 +00:00
Since Apex runs by default in system mode not having proper permissions checks results in escalation of
2020-11-14 09:20:07 +00:00
privilege and may produce runtime errors. This check forces you to handle such scenarios.< / p >
2022-12-19 15:49:41 +00:00
< p > Since Winter ‘
< code class = "language-plaintext highlighter-rouge" > WITH USER_MODE< / code > in SOQL. This makes Apex to respect Field-level security (FLS) and object
permissions of the running user. When using user mode, no violation is reported by this rule.< / p >
2021-10-22 22:52:08 +00:00
< p > By default, the rule allows access checks can be performed using system Apex provisions such as
< code class = "language-plaintext highlighter-rouge" > DescribeSObjectResult.isAccessible/Createable/etc.< / code > , the SOQL < code class = "language-plaintext highlighter-rouge" > WITH SECURITY_ENFORCED< / code > clause,
or using the open source < a href = "https://github.com/forcedotcom/force-dot-com-esapi" > Force.com ESAPI< / a >
class library. Because it is common to use authorization facades to assist with this task, the
rule also allows configuration of regular expression-based patterns for the methods used to
authorize each type of CRUD operation. These pattern are configured via the following properties:< / p >
< ul >
< li > < code class = "language-plaintext highlighter-rouge" > createAuthMethodPattern< / code > /< code class = "language-plaintext highlighter-rouge" > createAuthMethodTypeParamIndex< / code > - a pattern for the method used
for create authorization and an optional 0-based index of the parameter passed to that method
that denotes the < code class = "language-plaintext highlighter-rouge" > SObjectType< / code > being authorized for create.< / li >
< li > < code class = "language-plaintext highlighter-rouge" > readAuthMethodPattern< / code > /< code class = "language-plaintext highlighter-rouge" > readAuthMethodTypeParamIndex< / code > - a pattern for the method used
for read authorization and an optional 0-based index of the parameter passed to that method
that denotes the < code class = "language-plaintext highlighter-rouge" > SObjectType< / code > being authorized for read.< / li >
< li > < code class = "language-plaintext highlighter-rouge" > updateAuthMethodPattern< / code > /< code class = "language-plaintext highlighter-rouge" > updateAuthMethodTypeParamIndex< / code > - a pattern for the method used
for update authorization and an optional 0-based index of the parameter passed to that method
that denotes the < code class = "language-plaintext highlighter-rouge" > SObjectType< / code > being authorized for update.< / li >
< li > < code class = "language-plaintext highlighter-rouge" > deleteAuthMethodPattern< / code > /< code class = "language-plaintext highlighter-rouge" > deleteAuthMethodTypeParamIndex< / code > - a pattern for the method used
for delete authorization and an optional 0-based index of the parameter passed to that method
that denotes the < code class = "language-plaintext highlighter-rouge" > SObjectType< / code > being authorized for delete.< / li >
< li > < code class = "language-plaintext highlighter-rouge" > undeleteAuthMethodPattern< / code > /< code class = "language-plaintext highlighter-rouge" > undeleteAuthMethodTypeParamIndex< / code > - a pattern for the method used
for undelete authorization and an optional 0-based index of the parameter passed to that method
that denotes the < code class = "language-plaintext highlighter-rouge" > SObjectType< / code > being authorized for undelete.< / li >
< li > < code class = "language-plaintext highlighter-rouge" > mergeAuthMethodPattern< / code > /< code class = "language-plaintext highlighter-rouge" > mergeAuthMethodTypeParamIndex< / code > - a pattern for the method used
for merge authorization and an optional 0-based index of the parameter passed to that method
that denotes the < code class = "language-plaintext highlighter-rouge" > SObjectType< / code > being authorized for merge.< / li >
< / ul >
< p > The following example shows how the rule can be configured for the
< a href = "https://github.com/SCWells72/sirono-common" > sirono-common< / a >
< a href = "https://github.com/SCWells72/sirono-common#authorization-utilities" > < code class = "language-plaintext highlighter-rouge" > AuthorizationUtil< / code > < / a > class:< / p >
< div class = "language-xml highlighter-rouge" > < div class = "highlight" > < pre class = "highlight" > < code > < span class = "nt" > < rule< / span > < span class = "na" > ref=< / span > < span class = "s" > "category/apex/security.xml/ApexCRUDViolation"< / span > < span class = "na" > message=< / span > < span class = "s" > "Validate CRUD permission before SOQL/DML operation"< / span > < span class = "nt" > > < / span >
< span class = "nt" > < priority> < / span > 3< span class = "nt" > < /priority> < / span >
< span class = "nt" > < properties> < / span >
< span class = "nt" > < property< / span > < span class = "na" > name=< / span > < span class = "s" > "createAuthMethodPattern"< / span > < span class = "na" > value=< / span > < span class = "s" > "AuthorizationUtil\.(is|assert)(Createable|Upsertable)"< / span > < span class = "nt" > /> < / span >
< span class = "nt" > < property< / span > < span class = "na" > name=< / span > < span class = "s" > "readAuthMethodPattern"< / span > < span class = "na" > value=< / span > < span class = "s" > "AuthorizationUtil\.(is|assert)Accessible"< / span > < span class = "nt" > /> < / span >
< span class = "nt" > < property< / span > < span class = "na" > name=< / span > < span class = "s" > "updateAuthMethodPattern"< / span > < span class = "na" > value=< / span > < span class = "s" > "AuthorizationUtil\.(is|assert)(Updateable|Upsertable)"< / span > < span class = "nt" > /> < / span >
< span class = "nt" > < property< / span > < span class = "na" > name=< / span > < span class = "s" > "deleteAuthMethodPattern"< / span > < span class = "na" > value=< / span > < span class = "s" > "AuthorizationUtil\.(is|assert)Deletable"< / span > < span class = "nt" > /> < / span >
< span class = "nt" > < property< / span > < span class = "na" > name=< / span > < span class = "s" > "undeleteAuthMethodPattern"< / span > < span class = "na" > value=< / span > < span class = "s" > "AuthorizationUtil\.(is|assert)Undeletable"< / span > < span class = "nt" > /> < / span >
< span class = "nt" > < property< / span > < span class = "na" > name=< / span > < span class = "s" > "mergeAuthMethodPattern"< / span > < span class = "na" > value=< / span > < span class = "s" > "AuthorizationUtil\.(is|assert)Mergeable"< / span > < span class = "nt" > /> < / span >
< span class = "nt" > < /properties> < / span >
< span class = "nt" > < /rule> < / span >
< / code > < / pre > < / div > < / div >
2021-04-23 07:46:15 +00:00
< p > Note: This rule will produce false positives for VF getter methods. In VF getters the access permission
check happens automatically and is not needed explicitly. However, the rule can’
whether a getter is a VF getter or not and reports a violation in any case. In such cases, the violation
should be < a href = "pmd_userdocs_suppressing_warnings.html" > suppressed< / a > .< / p >
2020-11-14 09:20:07 +00:00
< p > < strong > This rule is defined by the following Java class:< / strong > < a href = "https://github.com/pmd/pmd/blob/master/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexCRUDViolationRule.java" > net.sourceforge.pmd.lang.apex.rule.security.ApexCRUDViolationRule< / a > < / p >
< p > < strong > Example(s):< / strong > < / p >
< div class = "language-java highlighter-rouge" > < div class = "highlight" > < pre class = "highlight" > < code > < span class = "kd" > public< / span > < span class = "kd" > class< / span > < span class = "nc" > Foo< / span > < span class = "o" > {< / span >
< span class = "kd" > public< / span > < span class = "nc" > Contact< / span > < span class = "nf" > foo< / span > < span class = "o" > (< / span > < span class = "nc" > String< / span > < span class = "n" > status< / span > < span class = "o" > ,< / span > < span class = "nc" > String< / span > < span class = "no" > ID< / span > < span class = "o" > )< / span > < span class = "o" > {< / span >
2021-06-18 13:21:36 +00:00
< span class = "c1" > // validate you can actually query what you intend to retrieve< / span >
< span class = "nc" > Contact< / span > < span class = "n" > c< / span > < span class = "o" > =< / span > < span class = "o" > [< / span > < span class = "no" > SELECT< / span > < span class = "n" > Status__c< / span > < span class = "no" > FROM< / span > < span class = "nc" > Contact< / span > < span class = "no" > WHERE< / span > < span class = "nc" > Id< / span > < span class = "o" > =:< / span > < span class = "no" > ID< / span > < span class = "no" > WITH< / span > < span class = "no" > SECURITY_ENFORCED< / span > < span class = "o" > ];< / span >
2020-11-14 09:20:07 +00:00
< span class = "c1" > // Make sure we can update the database before even trying< / span >
2021-07-10 09:18:20 +00:00
< span class = "k" > if< / span > < span class = "o" > (!< / span > < span class = "nc" > Schema< / span > < span class = "o" > .< / span > < span class = "na" > sObjectType< / span > < span class = "o" > .< / span > < span class = "na" > Contact< / span > < span class = "o" > .< / span > < span class = "na" > fields< / span > < span class = "o" > .< / span > < span class = "na" > Status__c< / span > < span class = "o" > .< / span > < span class = "na" > isUpdateable< / span > < span class = "o" > ())< / span > < span class = "o" > {< / span >
2020-11-14 09:20:07 +00:00
< span class = "k" > return< / span > < span class = "kc" > null< / span > < span class = "o" > ;< / span >
< span class = "o" > }< / span >
< span class = "n" > c< / span > < span class = "o" > .< / span > < span class = "na" > Status__c< / span > < span class = "o" > =< / span > < span class = "n" > status< / span > < span class = "o" > ;< / span >
< span class = "n" > update< / span > < span class = "n" > c< / span > < span class = "o" > ;< / span >
< span class = "k" > return< / span > < span class = "n" > c< / span > < span class = "o" > ;< / span >
< span class = "o" > }< / span >
< span class = "o" > }< / span >
< / code > < / pre > < / div > < / div >
< p > < strong > This rule has the following properties:< / strong > < / p >
< table >
< thead >
< tr >
< th > Name< / th >
< th > Default Value< / th >
< th > Description< / th >
< th > Multivalued< / th >
< / tr >
< / thead >
< tbody >
< tr >
< td > cc_categories< / td >
< td > Security< / td >
< td > < span style = "border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;" > Deprecated< / span > Code Climate Categories< / td >
< td > yes. Delimiter is ‘ ’ < / td >
< / tr >
< tr >
< td > cc_remediation_points_multiplier< / td >
< td > 100< / td >
< td > < span style = "border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;" > Deprecated< / span > Code Climate Remediation Points multiplier< / td >
< td > no< / td >
< / tr >
< tr >
< td > cc_block_highlighting< / td >
< td > false< / td >
< td > < span style = "border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;" > Deprecated< / span > Code Climate Block Highlighting< / td >
< td > no< / td >
< / tr >
2021-10-22 17:59:15 +00:00
< tr >
< td > updateAuthMethodPattern< / td >
< td > < / td >
< td > A regular expression for one or more custom update authorization method name patterns.< / td >
< td > no< / td >
< / tr >
< tr >
< td > updateAuthMethodTypeParamIndex< / td >
< td > 0< / td >
< td > The 0-based index of the sObjectType parameter for the custom update authorization method. Defaults to 0.< / td >
< td > no< / td >
< / tr >
< tr >
< td > readAuthMethodPattern< / td >
< td > < / td >
< td > A regular expression for one or more custom read authorization method name patterns.< / td >
< td > no< / td >
< / tr >
< tr >
< td > readAuthMethodTypeParamIndex< / td >
< td > 0< / td >
< td > The 0-based index of the sObjectType parameter for the custom read authorization method. Defaults to 0.< / td >
< td > no< / td >
< / tr >
< tr >
< td > undeleteAuthMethodPattern< / td >
< td > < / td >
< td > A regular expression for one or more custom undelete authorization method name patterns.< / td >
< td > no< / td >
< / tr >
< tr >
< td > undeleteAuthMethodTypeParamIndex< / td >
< td > 0< / td >
< td > The 0-based index of the sObjectType parameter for the custom undelete authorization method. Defaults to 0.< / td >
< td > no< / td >
< / tr >
< tr >
< td > deleteAuthMethodPattern< / td >
< td > < / td >
< td > A regular expression for one or more custom delete authorization method name patterns.< / td >
< td > no< / td >
< / tr >
< tr >
< td > deleteAuthMethodTypeParamIndex< / td >
< td > 0< / td >
< td > The 0-based index of the sObjectType parameter for the custom delete authorization method. Defaults to 0.< / td >
< td > no< / td >
< / tr >
< tr >
< td > mergeAuthMethodPattern< / td >
< td > < / td >
< td > A regular expression for one or more custom merge authorization method name patterns.< / td >
< td > no< / td >
< / tr >
< tr >
< td > mergeAuthMethodTypeParamIndex< / td >
< td > 0< / td >
< td > The 0-based index of the sObjectType parameter for the custom merge authorization method. Defaults to 0.< / td >
< td > no< / td >
< / tr >
< tr >
< td > createAuthMethodPattern< / td >
< td > < / td >
< td > A regular expression for one or more custom create authorization method name patterns.< / td >
< td > no< / td >
< / tr >
< tr >
< td > createAuthMethodTypeParamIndex< / td >
< td > 0< / td >
< td > The 0-based index of the sObjectType parameter for the custom create authorization method. Defaults to 0.< / td >
< td > no< / td >
< / tr >
2020-11-14 09:20:07 +00:00
< / tbody >
< / table >
< p > < strong > Use this rule with the default properties by just referencing it:< / strong > < / p >
< div class = "language-xml highlighter-rouge" > < div class = "highlight" > < pre class = "highlight" > < code > < span class = "nt" > < rule< / span > < span class = "na" > ref=< / span > < span class = "s" > "category/apex/security.xml/ApexCRUDViolation"< / span > < span class = "nt" > /> < / span >
< / code > < / pre > < / div > < / div >
2021-10-22 17:59:15 +00:00
< p > < strong > Use this rule and customize it:< / strong > < / p >
< div class = "language-xml highlighter-rouge" > < div class = "highlight" > < pre class = "highlight" > < code > < span class = "nt" > < rule< / span > < span class = "na" > ref=< / span > < span class = "s" > "category/apex/security.xml/ApexCRUDViolation"< / span > < span class = "nt" > > < / span >
< span class = "nt" > < properties> < / span >
< span class = "nt" > < property< / span > < span class = "na" > name=< / span > < span class = "s" > "updateAuthMethodPattern"< / span > < span class = "na" > value=< / span > < span class = "s" > ""< / span > < span class = "nt" > /> < / span >
< span class = "nt" > < property< / span > < span class = "na" > name=< / span > < span class = "s" > "updateAuthMethodTypeParamIndex"< / span > < span class = "na" > value=< / span > < span class = "s" > "0"< / span > < span class = "nt" > /> < / span >
< span class = "nt" > < property< / span > < span class = "na" > name=< / span > < span class = "s" > "readAuthMethodPattern"< / span > < span class = "na" > value=< / span > < span class = "s" > ""< / span > < span class = "nt" > /> < / span >
< span class = "nt" > < property< / span > < span class = "na" > name=< / span > < span class = "s" > "readAuthMethodTypeParamIndex"< / span > < span class = "na" > value=< / span > < span class = "s" > "0"< / span > < span class = "nt" > /> < / span >
< span class = "nt" > < property< / span > < span class = "na" > name=< / span > < span class = "s" > "undeleteAuthMethodPattern"< / span > < span class = "na" > value=< / span > < span class = "s" > ""< / span > < span class = "nt" > /> < / span >
< span class = "nt" > < property< / span > < span class = "na" > name=< / span > < span class = "s" > "undeleteAuthMethodTypeParamIndex"< / span > < span class = "na" > value=< / span > < span class = "s" > "0"< / span > < span class = "nt" > /> < / span >
< span class = "nt" > < property< / span > < span class = "na" > name=< / span > < span class = "s" > "deleteAuthMethodPattern"< / span > < span class = "na" > value=< / span > < span class = "s" > ""< / span > < span class = "nt" > /> < / span >
< span class = "nt" > < property< / span > < span class = "na" > name=< / span > < span class = "s" > "deleteAuthMethodTypeParamIndex"< / span > < span class = "na" > value=< / span > < span class = "s" > "0"< / span > < span class = "nt" > /> < / span >
< span class = "nt" > < property< / span > < span class = "na" > name=< / span > < span class = "s" > "mergeAuthMethodPattern"< / span > < span class = "na" > value=< / span > < span class = "s" > ""< / span > < span class = "nt" > /> < / span >
< span class = "nt" > < property< / span > < span class = "na" > name=< / span > < span class = "s" > "mergeAuthMethodTypeParamIndex"< / span > < span class = "na" > value=< / span > < span class = "s" > "0"< / span > < span class = "nt" > /> < / span >
< span class = "nt" > < property< / span > < span class = "na" > name=< / span > < span class = "s" > "createAuthMethodPattern"< / span > < span class = "na" > value=< / span > < span class = "s" > ""< / span > < span class = "nt" > /> < / span >
< span class = "nt" > < property< / span > < span class = "na" > name=< / span > < span class = "s" > "createAuthMethodTypeParamIndex"< / span > < span class = "na" > value=< / span > < span class = "s" > "0"< / span > < span class = "nt" > /> < / span >
< span class = "nt" > < /properties> < / span >
< span class = "nt" > < /rule> < / span >
< / code > < / pre > < / div > < / div >
2020-11-14 09:20:07 +00:00
< h2 id = "apexcsrf" > ApexCSRF< / h2 >
< p > < span style = "border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f;" > Deprecated< / span > < / p >
< p > The rule has been moved to another ruleset. Use instead: < a href = "pmd_rules_apex_errorprone.html#apexcsrf" > ApexCSRF< / a > < / p >
< p > < span style = "border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f;" > Deprecated< / span > < / p >
< p > < strong > Since:< / strong > PMD 5.5.3< / p >
< p > < strong > Priority:< / strong > Medium (3)< / p >
< p > Having DML operations in Apex class constructor or initializers can have unexpected side effects:
By just accessing a page, the DML statements would be executed and the database would be modified.
Just querying the database is permitted.< / p >
< p > In addition to constructors and initializers, any method called < code class = "language-plaintext highlighter-rouge" > init< / code > is checked as well.< / p >
< p > Salesforce Apex already protects against this scenario and raises a runtime exception.< / p >
< p > Note: This rule has been moved from category "Security" to "Error Prone" with PMD 6.21.0, since
using DML in constructors is not a security problem, but crashes the application.< / p >
< p > < strong > This rule is defined by the following Java class:< / strong > < a href = "https://github.com/pmd/pmd/blob/master/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/errorprone/ApexCSRFRule.java" > net.sourceforge.pmd.lang.apex.rule.errorprone.ApexCSRFRule< / a > < / p >
< p > < strong > Example(s):< / strong > < / p >
< div class = "language-java highlighter-rouge" > < div class = "highlight" > < pre class = "highlight" > < code > < span class = "kd" > public< / span > < span class = "kd" > class< / span > < span class = "nc" > Foo< / span > < span class = "o" > {< / span >
< span class = "c1" > // initializer< / span >
< span class = "o" > {< / span >
< span class = "n" > insert< / span > < span class = "n" > data< / span > < span class = "o" > ;< / span >
< span class = "o" > }< / span >
< span class = "c1" > // static initializer< / span >
< span class = "kd" > static< / span > < span class = "o" > {< / span >
< span class = "n" > insert< / span > < span class = "n" > data< / span > < span class = "o" > ;< / span >
< span class = "o" > }< / span >
< span class = "c1" > // constructor< / span >
< span class = "kd" > public< / span > < span class = "nf" > Foo< / span > < span class = "o" > ()< / span > < span class = "o" > {< / span >
< span class = "n" > insert< / span > < span class = "n" > data< / span > < span class = "o" > ;< / span >
< span class = "o" > }< / span >
< span class = "o" > }< / span >
< / code > < / pre > < / div > < / div >
< p > < strong > This rule has the following properties:< / strong > < / p >
< table >
< thead >
< tr >
< th > Name< / th >
< th > Default Value< / th >
< th > Description< / th >
< th > Multivalued< / th >
< / tr >
< / thead >
< tbody >
< tr >
< td > cc_categories< / td >
< td > Security< / td >
< td > < span style = "border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;" > Deprecated< / span > Code Climate Categories< / td >
< td > yes. Delimiter is ‘ ’ < / td >
< / tr >
< tr >
< td > cc_remediation_points_multiplier< / td >
< td > 100< / td >
< td > < span style = "border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;" > Deprecated< / span > Code Climate Remediation Points multiplier< / td >
< td > no< / td >
< / tr >
< tr >
< td > cc_block_highlighting< / td >
< td > false< / td >
< td > < span style = "border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;" > Deprecated< / span > Code Climate Block Highlighting< / td >
< td > no< / td >
< / tr >
< / tbody >
< / table >
< p > < strong > Use this rule with the default properties by just referencing it:< / strong > < / p >
< div class = "language-xml highlighter-rouge" > < div class = "highlight" > < pre class = "highlight" > < code > < span class = "nt" > < rule< / span > < span class = "na" > ref=< / span > < span class = "s" > "category/apex/security.xml/ApexCSRF"< / span > < span class = "nt" > /> < / span >
< / code > < / pre > < / div > < / div >
< h2 id = "apexdangerousmethods" > ApexDangerousMethods< / h2 >
< p > < strong > Since:< / strong > PMD 5.5.3< / p >
< p > < strong > Priority:< / strong > Medium (3)< / p >
< p > Checks against calling dangerous methods.< / p >
< p > For the time being, it reports:< / p >
< ul >
< li > Against < code class = "language-plaintext highlighter-rouge" > FinancialForce< / code > ’ < code class = "language-plaintext highlighter-rouge" > Configuration.disableTriggerCRUDSecurity()< / code > . Disabling CRUD security
opens the door to several attacks and requires manual validation, which is unreliable.< / li >
< li > Calling < code class = "language-plaintext highlighter-rouge" > System.debug< / code > passing sensitive data as parameter, which could lead to exposure
of private data.< / li >
< / ul >
< p > < strong > This rule is defined by the following Java class:< / strong > < a href = "https://github.com/pmd/pmd/blob/master/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexDangerousMethodsRule.java" > net.sourceforge.pmd.lang.apex.rule.security.ApexDangerousMethodsRule< / a > < / p >
< p > < strong > Example(s):< / strong > < / p >
< div class = "language-java highlighter-rouge" > < div class = "highlight" > < pre class = "highlight" > < code > < span class = "kd" > public< / span > < span class = "kd" > class< / span > < span class = "nc" > Foo< / span > < span class = "o" > {< / span >
< span class = "kd" > public< / span > < span class = "nf" > Foo< / span > < span class = "o" > ()< / span > < span class = "o" > {< / span >
< span class = "nc" > Configuration< / span > < span class = "o" > .< / span > < span class = "na" > disableTriggerCRUDSecurity< / span > < span class = "o" > ();< / span >
< span class = "o" > }< / span >
< span class = "o" > }< / span >
< / code > < / pre > < / div > < / div >
< p > < strong > This rule has the following properties:< / strong > < / p >
< table >
< thead >
< tr >
< th > Name< / th >
< th > Default Value< / th >
< th > Description< / th >
< th > Multivalued< / th >
< / tr >
< / thead >
< tbody >
< tr >
< td > cc_categories< / td >
< td > Security< / td >
< td > < span style = "border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;" > Deprecated< / span > Code Climate Categories< / td >
< td > yes. Delimiter is ‘ ’ < / td >
< / tr >
< tr >
< td > cc_remediation_points_multiplier< / td >
< td > 100< / td >
< td > < span style = "border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;" > Deprecated< / span > Code Climate Remediation Points multiplier< / td >
< td > no< / td >
< / tr >
< tr >
< td > cc_block_highlighting< / td >
< td > false< / td >
< td > < span style = "border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;" > Deprecated< / span > Code Climate Block Highlighting< / td >
< td > no< / td >
< / tr >
< / tbody >
< / table >
< p > < strong > Use this rule with the default properties by just referencing it:< / strong > < / p >
< div class = "language-xml highlighter-rouge" > < div class = "highlight" > < pre class = "highlight" > < code > < span class = "nt" > < rule< / span > < span class = "na" > ref=< / span > < span class = "s" > "category/apex/security.xml/ApexDangerousMethods"< / span > < span class = "nt" > /> < / span >
< / code > < / pre > < / div > < / div >
< h2 id = "apexinsecureendpoint" > ApexInsecureEndpoint< / h2 >
< p > < strong > Since:< / strong > PMD 5.5.3< / p >
< p > < strong > Priority:< / strong > Medium (3)< / p >
< p > Checks against accessing endpoints under plain < strong > http< / strong > . You should always use
< strong > https< / strong > for security.< / p >
< p > < strong > This rule is defined by the following Java class:< / strong > < a href = "https://github.com/pmd/pmd/blob/master/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexInsecureEndpointRule.java" > net.sourceforge.pmd.lang.apex.rule.security.ApexInsecureEndpointRule< / a > < / p >
< p > < strong > Example(s):< / strong > < / p >
< div class = "language-java highlighter-rouge" > < div class = "highlight" > < pre class = "highlight" > < code > < span class = "kd" > public< / span > < span class = "n" > without< / span > < span class = "n" > sharing< / span > < span class = "kd" > class< / span > < span class = "nc" > Foo< / span > < span class = "o" > {< / span >
< span class = "kt" > void< / span > < span class = "nf" > foo< / span > < span class = "o" > ()< / span > < span class = "o" > {< / span >
< span class = "nc" > HttpRequest< / span > < span class = "n" > req< / span > < span class = "o" > =< / span > < span class = "k" > new< / span > < span class = "nc" > HttpRequest< / span > < span class = "o" > ();< / span >
< span class = "n" > req< / span > < span class = "o" > .< / span > < span class = "na" > setEndpoint< / span > < span class = "o" > (< / span > < span class = "err" > '< / span > < span class = "nl" > http:< / span > < span class = "c1" > //localhost:com');< / span >
< span class = "o" > }< / span >
< span class = "o" > }< / span >
< / code > < / pre > < / div > < / div >
< p > < strong > This rule has the following properties:< / strong > < / p >
< table >
< thead >
< tr >
< th > Name< / th >
< th > Default Value< / th >
< th > Description< / th >
< th > Multivalued< / th >
< / tr >
< / thead >
< tbody >
< tr >
< td > cc_categories< / td >
< td > Security< / td >
< td > < span style = "border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;" > Deprecated< / span > Code Climate Categories< / td >
< td > yes. Delimiter is ‘ ’ < / td >
< / tr >
< tr >
< td > cc_remediation_points_multiplier< / td >
< td > 100< / td >
< td > < span style = "border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;" > Deprecated< / span > Code Climate Remediation Points multiplier< / td >
< td > no< / td >
< / tr >
< tr >
< td > cc_block_highlighting< / td >
< td > false< / td >
< td > < span style = "border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;" > Deprecated< / span > Code Climate Block Highlighting< / td >
< td > no< / td >
< / tr >
< / tbody >
< / table >
< p > < strong > Use this rule with the default properties by just referencing it:< / strong > < / p >
< div class = "language-xml highlighter-rouge" > < div class = "highlight" > < pre class = "highlight" > < code > < span class = "nt" > < rule< / span > < span class = "na" > ref=< / span > < span class = "s" > "category/apex/security.xml/ApexInsecureEndpoint"< / span > < span class = "nt" > /> < / span >
< / code > < / pre > < / div > < / div >
< h2 id = "apexopenredirect" > ApexOpenRedirect< / h2 >
< p > < strong > Since:< / strong > PMD 5.5.3< / p >
< p > < strong > Priority:< / strong > Medium (3)< / p >
< p > Checks against redirects to user-controlled locations. This prevents attackers from
redirecting users to phishing sites.< / p >
< p > < strong > This rule is defined by the following Java class:< / strong > < a href = "https://github.com/pmd/pmd/blob/master/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexOpenRedirectRule.java" > net.sourceforge.pmd.lang.apex.rule.security.ApexOpenRedirectRule< / a > < / p >
< p > < strong > Example(s):< / strong > < / p >
< div class = "language-java highlighter-rouge" > < div class = "highlight" > < pre class = "highlight" > < code > < span class = "kd" > public< / span > < span class = "n" > without< / span > < span class = "n" > sharing< / span > < span class = "kd" > class< / span > < span class = "nc" > Foo< / span > < span class = "o" > {< / span >
< span class = "nc" > String< / span > < span class = "n" > unsafeLocation< / span > < span class = "o" > =< / span > < span class = "nc" > ApexPage< / span > < span class = "o" > .< / span > < span class = "na" > getCurrentPage< / span > < span class = "o" > ().< / span > < span class = "na" > getParameters< / span > < span class = "o" > .< / span > < span class = "na" > get< / span > < span class = "o" > (< / span > < span class = "err" > '< / span > < span class = "n" > url_param< / span > < span class = "err" > '< / span > < span class = "o" > );< / span >
< span class = "nc" > PageReference< / span > < span class = "nf" > page< / span > < span class = "o" > ()< / span > < span class = "o" > {< / span >
< span class = "k" > return< / span > < span class = "k" > new< / span > < span class = "nf" > PageReference< / span > < span class = "o" > (< / span > < span class = "n" > unsafeLocation< / span > < span class = "o" > );< / span >
< span class = "o" > }< / span >
< span class = "o" > }< / span >
< / code > < / pre > < / div > < / div >
< p > < strong > This rule has the following properties:< / strong > < / p >
< table >
< thead >
< tr >
< th > Name< / th >
< th > Default Value< / th >
< th > Description< / th >
< th > Multivalued< / th >
< / tr >
< / thead >
< tbody >
< tr >
< td > cc_categories< / td >
< td > Security< / td >
< td > < span style = "border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;" > Deprecated< / span > Code Climate Categories< / td >
< td > yes. Delimiter is ‘ ’ < / td >
< / tr >
< tr >
< td > cc_remediation_points_multiplier< / td >
< td > 100< / td >
< td > < span style = "border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;" > Deprecated< / span > Code Climate Remediation Points multiplier< / td >
< td > no< / td >
< / tr >
< tr >
< td > cc_block_highlighting< / td >
< td > false< / td >
< td > < span style = "border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;" > Deprecated< / span > Code Climate Block Highlighting< / td >
< td > no< / td >
< / tr >
< / tbody >
< / table >
< p > < strong > Use this rule with the default properties by just referencing it:< / strong > < / p >
< div class = "language-xml highlighter-rouge" > < div class = "highlight" > < pre class = "highlight" > < code > < span class = "nt" > < rule< / span > < span class = "na" > ref=< / span > < span class = "s" > "category/apex/security.xml/ApexOpenRedirect"< / span > < span class = "nt" > /> < / span >
< / code > < / pre > < / div > < / div >
< h2 id = "apexsharingviolations" > ApexSharingViolations< / h2 >
< p > < strong > Since:< / strong > PMD 5.5.3< / p >
< p > < strong > Priority:< / strong > Medium (3)< / p >
< p > Detect classes declared without explicit sharing mode if DML methods are used. This
forces the developer to take access restrictions into account before modifying objects.< / p >
< p > < strong > This rule is defined by the following Java class:< / strong > < a href = "https://github.com/pmd/pmd/blob/master/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexSharingViolationsRule.java" > net.sourceforge.pmd.lang.apex.rule.security.ApexSharingViolationsRule< / a > < / p >
< p > < strong > Example(s):< / strong > < / p >
< div class = "language-java highlighter-rouge" > < div class = "highlight" > < pre class = "highlight" > < code > < span class = "kd" > public< / span > < span class = "n" > without< / span > < span class = "n" > sharing< / span > < span class = "kd" > class< / span > < span class = "nc" > Foo< / span > < span class = "o" > {< / span >
< span class = "c1" > // DML operation here< / span >
< span class = "o" > }< / span >
< / code > < / pre > < / div > < / div >
< p > < strong > This rule has the following properties:< / strong > < / p >
< table >
< thead >
< tr >
< th > Name< / th >
< th > Default Value< / th >
< th > Description< / th >
< th > Multivalued< / th >
< / tr >
< / thead >
< tbody >
< tr >
< td > cc_categories< / td >
< td > Security< / td >
< td > < span style = "border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;" > Deprecated< / span > Code Climate Categories< / td >
< td > yes. Delimiter is ‘ ’ < / td >
< / tr >
< tr >
< td > cc_remediation_points_multiplier< / td >
< td > 100< / td >
< td > < span style = "border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;" > Deprecated< / span > Code Climate Remediation Points multiplier< / td >
< td > no< / td >
< / tr >
< tr >
< td > cc_block_highlighting< / td >
< td > false< / td >
< td > < span style = "border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;" > Deprecated< / span > Code Climate Block Highlighting< / td >
< td > no< / td >
< / tr >
< / tbody >
< / table >
< p > < strong > Use this rule with the default properties by just referencing it:< / strong > < / p >
< div class = "language-xml highlighter-rouge" > < div class = "highlight" > < pre class = "highlight" > < code > < span class = "nt" > < rule< / span > < span class = "na" > ref=< / span > < span class = "s" > "category/apex/security.xml/ApexSharingViolations"< / span > < span class = "nt" > /> < / span >
< / code > < / pre > < / div > < / div >
< h2 id = "apexsoqlinjection" > ApexSOQLInjection< / h2 >
< p > < strong > Since:< / strong > PMD 5.5.3< / p >
< p > < strong > Priority:< / strong > Medium (3)< / p >
< p > Detects the usage of untrusted / unescaped variables in DML queries.< / p >
< p > < strong > This rule is defined by the following Java class:< / strong > < a href = "https://github.com/pmd/pmd/blob/master/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexSOQLInjectionRule.java" > net.sourceforge.pmd.lang.apex.rule.security.ApexSOQLInjectionRule< / a > < / p >
< p > < strong > Example(s):< / strong > < / p >
< div class = "language-java highlighter-rouge" > < div class = "highlight" > < pre class = "highlight" > < code > < span class = "kd" > public< / span > < span class = "kd" > class< / span > < span class = "nc" > Foo< / span > < span class = "o" > {< / span >
< span class = "kd" > public< / span > < span class = "kt" > void< / span > < span class = "nf" > test1< / span > < span class = "o" > (< / span > < span class = "nc" > String< / span > < span class = "n" > t1< / span > < span class = "o" > )< / span > < span class = "o" > {< / span >
< span class = "nc" > Database< / span > < span class = "o" > .< / span > < span class = "na" > query< / span > < span class = "o" > (< / span > < span class = "err" > '< / span > < span class = "no" > SELECT< / span > < span class = "nc" > Id< / span > < span class = "no" > FROM< / span > < span class = "nc" > Account< / span > < span class = "err" > '< / span > < span class = "o" > +< / span > < span class = "n" > t1< / span > < span class = "o" > );< / span >
< span class = "o" > }< / span >
< span class = "o" > }< / span >
< / code > < / pre > < / div > < / div >
< p > < strong > This rule has the following properties:< / strong > < / p >
< table >
< thead >
< tr >
< th > Name< / th >
< th > Default Value< / th >
< th > Description< / th >
< th > Multivalued< / th >
< / tr >
< / thead >
< tbody >
< tr >
< td > cc_categories< / td >
< td > Security< / td >
< td > < span style = "border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;" > Deprecated< / span > Code Climate Categories< / td >
< td > yes. Delimiter is ‘ ’ < / td >
< / tr >
< tr >
< td > cc_remediation_points_multiplier< / td >
< td > 100< / td >
< td > < span style = "border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;" > Deprecated< / span > Code Climate Remediation Points multiplier< / td >
< td > no< / td >
< / tr >
< tr >
< td > cc_block_highlighting< / td >
< td > false< / td >
< td > < span style = "border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;" > Deprecated< / span > Code Climate Block Highlighting< / td >
< td > no< / td >
< / tr >
< / tbody >
< / table >
< p > < strong > Use this rule with the default properties by just referencing it:< / strong > < / p >
< div class = "language-xml highlighter-rouge" > < div class = "highlight" > < pre class = "highlight" > < code > < span class = "nt" > < rule< / span > < span class = "na" > ref=< / span > < span class = "s" > "category/apex/security.xml/ApexSOQLInjection"< / span > < span class = "nt" > /> < / span >
< / code > < / pre > < / div > < / div >
< h2 id = "apexsuggestusingnamedcred" > ApexSuggestUsingNamedCred< / h2 >
< p > < strong > Since:< / strong > PMD 5.5.3< / p >
< p > < strong > Priority:< / strong > Medium (3)< / p >
< p > Detects hardcoded credentials used in requests to an endpoint.< / p >
< p > You should refrain from hardcoding credentials:< / p >
< ul >
< li > They are hard to mantain by being mixed in application code< / li >
< li > Particularly hard to update them when used from different classes< / li >
< li > Granting a developer access to the codebase means granting knowledge
of credentials, keeping a two-level access is not possible.< / li >
< li > Using different credentials for different environments is troublesome
and error-prone.< / li >
< / ul >
< p > Instead, you should use < em > Named Credentials< / em > and a callout endpoint.< / p >
< p > For more information, you can check < a href = "https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_callouts_named_credentials.htm" > this< / a > < / p >
< p > < strong > This rule is defined by the following Java class:< / strong > < a href = "https://github.com/pmd/pmd/blob/master/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexSuggestUsingNamedCredRule.java" > net.sourceforge.pmd.lang.apex.rule.security.ApexSuggestUsingNamedCredRule< / a > < / p >
< p > < strong > Example(s):< / strong > < / p >
< div class = "language-java highlighter-rouge" > < div class = "highlight" > < pre class = "highlight" > < code > < span class = "kd" > public< / span > < span class = "kd" > class< / span > < span class = "nc" > Foo< / span > < span class = "o" > {< / span >
< span class = "kd" > public< / span > < span class = "kt" > void< / span > < span class = "nf" > foo< / span > < span class = "o" > (< / span > < span class = "nc" > String< / span > < span class = "n" > username< / span > < span class = "o" > ,< / span > < span class = "nc" > String< / span > < span class = "n" > password< / span > < span class = "o" > )< / span > < span class = "o" > {< / span >
< span class = "nc" > Blob< / span > < span class = "n" > headerValue< / span > < span class = "o" > =< / span > < span class = "nc" > Blob< / span > < span class = "o" > .< / span > < span class = "na" > valueOf< / span > < span class = "o" > (< / span > < span class = "n" > username< / span > < span class = "o" > +< / span > < span class = "sc" > ':'< / span > < span class = "o" > +< / span > < span class = "n" > password< / span > < span class = "o" > );< / span >
< span class = "nc" > String< / span > < span class = "n" > authorizationHeader< / span > < span class = "o" > =< / span > < span class = "err" > '< / span > < span class = "no" > BASIC< / span > < span class = "err" > '< / span > < span class = "o" > +< / span > < span class = "nc" > EncodingUtil< / span > < span class = "o" > .< / span > < span class = "na" > base64Encode< / span > < span class = "o" > (< / span > < span class = "n" > headerValue< / span > < span class = "o" > );< / span >
< span class = "n" > req< / span > < span class = "o" > .< / span > < span class = "na" > setHeader< / span > < span class = "o" > (< / span > < span class = "err" > '< / span > < span class = "nc" > Authorization< / span > < span class = "err" > '< / span > < span class = "o" > ,< / span > < span class = "n" > authorizationHeader< / span > < span class = "o" > );< / span >
< span class = "o" > }< / span >
< span class = "o" > }< / span >
< / code > < / pre > < / div > < / div >
< p > < strong > This rule has the following properties:< / strong > < / p >
< table >
< thead >
< tr >
< th > Name< / th >
< th > Default Value< / th >
< th > Description< / th >
< th > Multivalued< / th >
< / tr >
< / thead >
< tbody >
< tr >
< td > cc_categories< / td >
< td > Security< / td >
< td > < span style = "border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;" > Deprecated< / span > Code Climate Categories< / td >
< td > yes. Delimiter is ‘ ’ < / td >
< / tr >
< tr >
< td > cc_remediation_points_multiplier< / td >
< td > 100< / td >
< td > < span style = "border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;" > Deprecated< / span > Code Climate Remediation Points multiplier< / td >
< td > no< / td >
< / tr >
< tr >
< td > cc_block_highlighting< / td >
< td > false< / td >
< td > < span style = "border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;" > Deprecated< / span > Code Climate Block Highlighting< / td >
< td > no< / td >
< / tr >
< / tbody >
< / table >
< p > < strong > Use this rule with the default properties by just referencing it:< / strong > < / p >
< div class = "language-xml highlighter-rouge" > < div class = "highlight" > < pre class = "highlight" > < code > < span class = "nt" > < rule< / span > < span class = "na" > ref=< / span > < span class = "s" > "category/apex/security.xml/ApexSuggestUsingNamedCred"< / span > < span class = "nt" > /> < / span >
< / code > < / pre > < / div > < / div >
< h2 id = "apexxssfromescapefalse" > ApexXSSFromEscapeFalse< / h2 >
< p > < strong > Since:< / strong > PMD 5.5.3< / p >
< p > < strong > Priority:< / strong > Medium (3)< / p >
< p > Reports on calls to < code class = "language-plaintext highlighter-rouge" > addError< / code > with disabled escaping. The message passed to < code class = "language-plaintext highlighter-rouge" > addError< / code >
will be displayed directly to the user in the UI, making it prime ground for XSS
attacks if unescaped.< / p >
< p > < strong > This rule is defined by the following Java class:< / strong > < a href = "https://github.com/pmd/pmd/blob/master/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexXSSFromEscapeFalseRule.java" > net.sourceforge.pmd.lang.apex.rule.security.ApexXSSFromEscapeFalseRule< / a > < / p >
< p > < strong > Example(s):< / strong > < / p >
< div class = "language-java highlighter-rouge" > < div class = "highlight" > < pre class = "highlight" > < code > < span class = "kd" > public< / span > < span class = "n" > without< / span > < span class = "n" > sharing< / span > < span class = "kd" > class< / span > < span class = "nc" > Foo< / span > < span class = "o" > {< / span >
< span class = "nc" > Trigger< / span > < span class = "o" > .< / span > < span class = "na" > new< / span > < span class = "o" > [< / span > < span class = "mi" > 0< / span > < span class = "o" > ].< / span > < span class = "na" > addError< / span > < span class = "o" > (< / span > < span class = "n" > vulnerableHTMLGoesHere< / span > < span class = "o" > ,< / span > < span class = "kc" > false< / span > < span class = "o" > );< / span >
< span class = "o" > }< / span >
< / code > < / pre > < / div > < / div >
< p > < strong > This rule has the following properties:< / strong > < / p >
< table >
< thead >
< tr >
< th > Name< / th >
< th > Default Value< / th >
< th > Description< / th >
< th > Multivalued< / th >
< / tr >
< / thead >
< tbody >
< tr >
< td > cc_categories< / td >
< td > Security< / td >
< td > < span style = "border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;" > Deprecated< / span > Code Climate Categories< / td >
< td > yes. Delimiter is ‘ ’ < / td >
< / tr >
< tr >
< td > cc_remediation_points_multiplier< / td >
< td > 100< / td >
< td > < span style = "border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;" > Deprecated< / span > Code Climate Remediation Points multiplier< / td >
< td > no< / td >
< / tr >
< tr >
< td > cc_block_highlighting< / td >
< td > false< / td >
< td > < span style = "border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;" > Deprecated< / span > Code Climate Block Highlighting< / td >
< td > no< / td >
< / tr >
< / tbody >
< / table >
< p > < strong > Use this rule with the default properties by just referencing it:< / strong > < / p >
< div class = "language-xml highlighter-rouge" > < div class = "highlight" > < pre class = "highlight" > < code > < span class = "nt" > < rule< / span > < span class = "na" > ref=< / span > < span class = "s" > "category/apex/security.xml/ApexXSSFromEscapeFalse"< / span > < span class = "nt" > /> < / span >
< / code > < / pre > < / div > < / div >
< h2 id = "apexxssfromurlparam" > ApexXSSFromURLParam< / h2 >
< p > < strong > Since:< / strong > PMD 5.5.3< / p >
< p > < strong > Priority:< / strong > Medium (3)< / p >
< p > Makes sure that all values obtained from URL parameters are properly escaped / sanitized
to avoid XSS attacks.< / p >
< p > < strong > This rule is defined by the following Java class:< / strong > < a href = "https://github.com/pmd/pmd/blob/master/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexXSSFromURLParamRule.java" > net.sourceforge.pmd.lang.apex.rule.security.ApexXSSFromURLParamRule< / a > < / p >
< p > < strong > Example(s):< / strong > < / p >
< div class = "language-java highlighter-rouge" > < div class = "highlight" > < pre class = "highlight" > < code > < span class = "kd" > public< / span > < span class = "n" > without< / span > < span class = "n" > sharing< / span > < span class = "kd" > class< / span > < span class = "nc" > Foo< / span > < span class = "o" > {< / span >
< span class = "nc" > String< / span > < span class = "n" > unescapedstring< / span > < span class = "o" > =< / span > < span class = "nc" > ApexPage< / span > < span class = "o" > .< / span > < span class = "na" > getCurrentPage< / span > < span class = "o" > ().< / span > < span class = "na" > getParameters< / span > < span class = "o" > .< / span > < span class = "na" > get< / span > < span class = "o" > (< / span > < span class = "err" > '< / span > < span class = "n" > url_param< / span > < span class = "err" > '< / span > < span class = "o" > );< / span >
< span class = "nc" > String< / span > < span class = "n" > usedLater< / span > < span class = "o" > =< / span > < span class = "n" > unescapedstring< / span > < span class = "o" > ;< / span >
< span class = "o" > }< / span >
< / code > < / pre > < / div > < / div >
< p > < strong > This rule has the following properties:< / strong > < / p >
< table >
< thead >
< tr >
< th > Name< / th >
< th > Default Value< / th >
< th > Description< / th >
< th > Multivalued< / th >
< / tr >
< / thead >
< tbody >
< tr >
< td > cc_categories< / td >
< td > Security< / td >
< td > < span style = "border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;" > Deprecated< / span > Code Climate Categories< / td >
< td > yes. Delimiter is ‘ ’ < / td >
< / tr >
< tr >
< td > cc_remediation_points_multiplier< / td >
< td > 50< / td >
< td > < span style = "border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;" > Deprecated< / span > Code Climate Remediation Points multiplier< / td >
< td > no< / td >
< / tr >
< tr >
< td > cc_block_highlighting< / td >
< td > false< / td >
< td > < span style = "border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;" > Deprecated< / span > Code Climate Block Highlighting< / td >
< td > no< / td >
< / tr >
< / tbody >
< / table >
< p > < strong > Use this rule with the default properties by just referencing it:< / strong > < / p >
< div class = "language-xml highlighter-rouge" > < div class = "highlight" > < pre class = "highlight" > < code > < span class = "nt" > < rule< / span > < span class = "na" > ref=< / span > < span class = "s" > "category/apex/security.xml/ApexXSSFromURLParam"< / span > < span class = "nt" > /> < / span >
< / code > < / pre > < / div > < / div >
< div class = "tags" >
< / div >
< / div >
< footer >
2022-03-24 11:42:13 +00:00
< hr / >
< div >
This documentation is written in markdown. < br / >
If there is something missing or can be improved, edit this page on
github and create a PR:
< a
target="_blank"
href="https://github.com/pmd/pmd/blob/master/docs/../pmd-apex/src/main/resources/category/apex/security.xml"
role="button"
>< i class = "fa fa-github fa-lg" > < / i > Edit on GitHub< /a
>
< / div >
< hr / >
< div class = "row" >
< div class = "col-lg-12 footer" >
2023-01-01 04:26:09 +00:00
© 2023 PMD Open Source Project. All rights
2022-03-24 11:42:13 +00:00
reserved. < br / >
2023-02-17 08:34:23 +00:00
Site last generated: Feb 17, 2023 < br / >
2022-03-24 11:42:13 +00:00
< p >
< img src = "images/pmd-logo-small.png" alt = "Company
logo"/>
< / p >
< / div >
< / div >
2020-11-14 09:20:07 +00:00
< / footer >
2022-02-25 09:51:51 +00:00
< / div >
<!-- /.row -->
2020-11-14 09:20:07 +00:00
< / div >
2022-02-25 09:51:51 +00:00
<!-- /.container -->
< / div >
<!-- Sticky TOC column -->
< div class = "toc-col" >
2022-03-24 11:42:13 +00:00
< div id = "toc" > < / div >
2020-11-14 09:20:07 +00:00
< / div >
2022-02-25 09:51:51 +00:00
<!-- /.toc - container - wrapper -->
2020-11-14 09:20:07 +00:00
< / div >
< / div >
< / body >
< / html >
