Merge branch 'pr-160'

pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexDangerousMethodsRule.java

@@ -0,0 +1,48 @@
+/**
+ * BSD-style license; for more info see http://pmd.sourceforge.net/license.html
+ */
+
+package net.sourceforge.pmd.lang.apex.rule.security;
+
+import java.util.List;
+
+import net.sourceforge.pmd.lang.apex.ast.ASTMethodCallExpression;
+import net.sourceforge.pmd.lang.apex.ast.ASTUserClass;
+import net.sourceforge.pmd.lang.apex.rule.AbstractApexRule;
+
+/**
+ * Flags dangerous method calls, e.g. FinancialForce
+ * Configuration.disableTriggerCRUDSecurity()
+ * 
+ * 
+ * @author sergey.gorbaty
+ *
+ */
+public class ApexDangerousMethodsRule extends AbstractApexRule {
+    private static final String DISABLE_CRUD = "disableTriggerCRUDSecurity";
+    private static final String CONFIGURATION = "Configuration";
+
+    public ApexDangerousMethodsRule() {
+        super.addRuleChainVisit(ASTUserClass.class);
+        setProperty(CODECLIMATE_CATEGORIES, new String[] { "Security" });
+        setProperty(CODECLIMATE_REMEDIATION_MULTIPLIER, 100);
+        setProperty(CODECLIMATE_BLOCK_HIGHLIGHTING, false);
+
+    }
+
+    public Object visit(ASTUserClass node, Object data) {
+        if (Helper.isTestMethodOrClass(node)) {
+            return data;
+        }
+
+        List<ASTMethodCallExpression> methodCalls = node.findDescendantsOfType(ASTMethodCallExpression.class);
+        for (ASTMethodCallExpression methodCall : methodCalls) {
+            if (Helper.isMethodName(methodCall, CONFIGURATION, DISABLE_CRUD)) {
+                addViolation(data, methodCall);
+            }
+        }
+
+        return data;
+    }
+
+}

pmd-apex/src/main/resources/rulesets/apex/ruleset.xml

@@ -261,5 +261,14 @@
          <property name="cc_remediation_points_multiplier" value="150"/>
          <property name="cc_block_highlighting" value="false"/>
       </properties>
-   </rule>	
-</ruleset>
+   </rule>
+   <rule ref="rulesets/apex/security.xml/ApexDangerousMethods" message="Calling potentially dangerous method">
+      <priority>3</priority>
+      <properties>
+         <!-- relevant for Code Climate output only -->
+         <property name="cc_categories" value="Security"/>
+         <property name="cc_remediation_points_multiplier" value="50"/>
+         <property name="cc_block_highlighting" value="false"/>
+      </properties>
+   </rule>		
+</ruleset>

pmd-apex/src/main/resources/rulesets/apex/security.xml

@@ -189,4 +189,23 @@ public class Foo {
         </example>
 	</rule>
 
+	<rule name="ApexDangerousMethods" since="5.5.3"
+		message="Calling potentially dangerous method"
+		class="net.sourceforge.pmd.lang.apex.rule.security.ApexDangerousMethodsRule"
+		externalInfoUrl="${pmd.website.baseurl}/rules/apex/security.html#ApexDangerousMethodsRule">
+		<description>
+            Calling potentially dangerous method
+        </description>
+		<priority>3</priority>
+		<example>
+            <![CDATA[
+public class Foo {
+	public Foo() {
+		Configuration.disableTriggerCRUDSecurity();
+	}	
+}
+    ]]>
+        </example>
+	</rule>
+
 </ruleset>

pmd-apex/src/test/java/net/sourceforge/pmd/lang/apex/rule/security/SecurityRulesTest.java

@@ -21,5 +21,6 @@ public class SecurityRulesTest extends SimpleAggregatorTst {
         addRule(RULESET, "ApexSharingViolations");
         addRule(RULESET, "ApexInsecureEndpoint");
         addRule(RULESET, "ApexCRUDViolation");
+        addRule(RULESET, "ApexDangerousMethods");
     }
 }

pmd-apex/src/test/resources/net/sourceforge/pmd/lang/apex/rule/security/xml/ApexDangerousMethods.xml

@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<test-data>
+
+	<test-code>
+		<description>Apex dangerous FileForce method</description>
+		<expected-problems>1</expected-problems>
+		<code><![CDATA[
+public class Foo extends fflib_SObjectDomain {
+	public Foo() {
+		Configuration.disableTriggerCRUDSecurity();
+	}	
+}
+		]]></code>
+	</test-code>
+
+	<test-code>
+		<description>Apex non FileForce method</description>
+		<expected-problems>0</expected-problems>
+		<code><![CDATA[
+public class Foo {
+	public Foo() {
+		Configurations.disableTriggerCRUDSecurity();
+	}	
+}
+		]]></code>
+	</test-code>
+
+</test-data>

pmd-core/src/main/resources/rulesets/releases/553.xml

@@ -17,6 +17,7 @@ This ruleset contains links to rules that are new in PMD v5.5.3
     <rule ref="rulesets/apex/security.xml/ApexCSRF"/>
     <rule ref="rulesets/apex/security.xml/ApexSOQLInjection"/>
     <rule ref="rulesets/apex/security.xml/ApexCRUDViolation"/>
+    <rule ref="rulesets/apex/security.xml/ApexDangerousMethods"/>
 
 </ruleset>
 

src/site/markdown/overview/changelog.md

@@ -20,6 +20,7 @@
         *   ApexBadCrypto
         *   ApexCRUDViolation
         *   ApexCSRF
+        *   ApexDangerousMethods
         *   ApexInsecureEndpoint
         *   ApexOpenRedirect
         *   ApexSharingViolations
@@ -55,6 +56,7 @@
 *   [#152](https://github.com/pmd/pmd/pull/152): \[java] fixes #1552 continue does not require break
 *   [#154](https://github.com/pmd/pmd/pull/154): \[java] Fix #1547: UnusedImports: Adjust regex to support underscores
 *   [#158](https://github.com/pmd/pmd/pull/158): \[apex] Reducing FPs in SOQL with VF getter methods
+*   [#160](https://github.com/pmd/pmd/pull/160): \[apex] Flagging of dangerous method call
 
 **Bugfixes:**