From 07100bc15dd575a66675013738f17f28811174a1 Mon Sep 17 00:00:00 2001 From: Sergey Date: Tue, 31 Jan 2017 16:00:53 -0800 Subject: [PATCH] Integers won't count as SOQL injection --- .../apex/rule/security/ApexSOQLInjectionRule.java | 4 ++++ .../apex/rule/security/xml/ApexSOQLInjection.xml | 15 +++++++++++++++ 2 files changed, 19 insertions(+) diff --git a/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexSOQLInjectionRule.java b/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexSOQLInjectionRule.java index 074eeca57c..f21400c23b 100644 --- a/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexSOQLInjectionRule.java +++ b/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexSOQLInjectionRule.java @@ -96,6 +96,10 @@ public class ApexSOQLInjectionRule extends AbstractApexRule { if (literal != null) { if (left != null) { Object o = literal.getNode().getLiteral(); + if (o instanceof Integer || o instanceof Boolean || o instanceof Double) { + safeVariables.add(Helper.getFQVariableName(left)); + } + if (o instanceof String) { if (SELECT_PATTERN.matcher((String) o).matches()) { selectContainingVariables.put(Helper.getFQVariableName(left), Boolean.TRUE); diff --git a/pmd-apex/src/test/resources/net/sourceforge/pmd/lang/apex/rule/security/xml/ApexSOQLInjection.xml b/pmd-apex/src/test/resources/net/sourceforge/pmd/lang/apex/rule/security/xml/ApexSOQLInjection.xml index 8646523332..ae96b8ba38 100644 --- a/pmd-apex/src/test/resources/net/sourceforge/pmd/lang/apex/rule/security/xml/ApexSOQLInjection.xml +++ b/pmd-apex/src/test/resources/net/sourceforge/pmd/lang/apex/rule/security/xml/ApexSOQLInjection.xml @@ -206,4 +206,19 @@ public class Foo { } ]]> + + + Dynamic SOQL with Integer + + 0 + + +