phoedos/pmd
1
1
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
pmd/pmd_rules_apex_security.html

2124 lines
74 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="Rules that flag potential security flaws.">
<meta name="keywords" content=" Security, ApexBadCrypto, ApexCRUDViolation, ApexCSRF, ApexDangerousMethods, ApexInsecureEndpoint, ApexOpenRedirect, ApexSharingViolations, ApexSOQLInjection, ApexSuggestUsingNamedCred, ApexXSSFromEscapeFalse, ApexXSSFromURLParam">
<title>Security | PMD Source Code Analyzer</title>
<link rel="stylesheet" href="css/syntax.css">
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.5.0/css/font-awesome.min.css">
<!--<link rel="stylesheet" type="text/css" href="css/bootstrap.min.css">-->
<link rel="stylesheet" href="css/modern-business.css">
<link rel="stylesheet" href="css/lavish-bootstrap.css">
<link rel="stylesheet" href="css/customstyles.css">
<link rel="stylesheet" href="css/theme-blue.css">
<link rel="stylesheet" href="css/pmd-customstyles.css">
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.4/jquery.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery-cookie/1.4.1/jquery.cookie.min.js"></script>
<script src="js/jquery.navgoco.min.js"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/js/bootstrap.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/anchor-js/2.0.0/anchor.min.js"></script>
<script src="js/toc.js"></script>
<script src="js/customscripts.js"></script>
<link rel="shortcut icon" href="images/favicon.ico" type="image/x-icon">
<link rel="icon" href="images/favicon.ico" type="image/x-icon">
<!-- HTML5 Shim and Respond.js IE8 support of HTML5 elements and media queries -->
<!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
<!--[if lt IE 9]>
<script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
<script src="https://oss.maxcdn.com/libs/respond.js/1.4.2/respond.min.js"></script>
<![endif]-->
<link rel="alternate" type="application/rss+xml" title="" href="https://pmd.github.io/pmd/feed.xml">
<script>
$(document).ready(function() {
// Initialize navgoco with default options
$("#mysidebar").navgoco({
caretHtml: '',
accordion: true,
openClass: 'active', // open
save: false, // leave false or nav highlighting doesn't work right
cookie: {
name: 'navgoco',
expires: false,
path: '/'
},
slide: {
duration: 400,
easing: 'swing'
}
});
$("#collapseAll").click(function(e) {
e.preventDefault();
$("#mysidebar").navgoco('toggle', false);
});
$("#expandAll").click(function(e) {
e.preventDefault();
$("#mysidebar").navgoco('toggle', true);
});
});
</script>
<script>
$(function () {
$('[data-toggle="tooltip"]').tooltip()
})
</script>
<script>
$(document).ready(function() {
$("#tg-sb-link").click(function() {
$("#tg-sb-sidebar").toggle();
$("#tg-sb-content").toggleClass('col-md-9');
$("#tg-sb-content").toggleClass('col-md-12');
$("#tg-sb-icon").toggleClass('fa-toggle-on');
$("#tg-sb-icon").toggleClass('fa-toggle-off');
});
});
</script>
</head>
<body>
<!-- Content is offset by the height of the topnav bar. -->
<!-- There's already a padding-top rule in modern-business.css, but it apparently doesn't work on Firefox 60 and Chrome 67 -->
<div id="topbar-content-offset">
<!-- Navigation -->
<nav class="navbar navbar-inverse navbar-fixed-top">
<div class="container topnavlinks">
<div class="navbar-header">
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target="#bs-example-navbar-collapse-1">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="fa fa-home fa-lg navbar-brand" href="index.html">&nbsp;<span class="projectTitle"> PMD Source Code Analyzer Project</span></a>
</div>
<div class="collapse navbar-collapse" id="bs-example-navbar-collapse-1">
<ul class="nav navbar-nav navbar-right">
<!-- toggle sidebar button -->
<li><a id="tg-sb-link" href="#"><i id="tg-sb-icon" class="fa fa-toggle-on"></i> Nav</a></li>
<!-- entries without drop-downs appear here -->
<li><a href="https://github.com/pmd/pmd/releases/latest" target="_blank">Download</a></li>
<li><a href="https://github.com/pmd/pmd" target="_blank">Fork us on github</a></li>
<!-- entries with drop-downs appear here -->
<!-- conditional logic to control which topnav appears for the audience defined in the configuration file.-->
<!--comment out this block if you want to hide search-->
<li>
<!--start search-->
<div id="search-demo-container">
<input type="text" id="search-input" placeholder="search...">
<ul id="results-container"></ul>
</div>
<script src="js/jekyll-search.js" type="text/javascript"></script>
<script type="text/javascript">
SimpleJekyllSearch.init({
searchInput: document.getElementById('search-input'),
resultsContainer: document.getElementById('results-container'),
dataSource: 'search.json',
searchResultTemplate: '<li><a href="{url}" title="Security">{title}</a></li>',
noResultsText: 'No results found.',
limit: 10,
fuzzy: true,
})
</script>
<!--end search-->
</li>
</ul>
</div>
</div>
<!-- /.container -->
</nav>
<!-- Page Content -->
<div class="container">
<div class="col-lg-12">&nbsp;</div>
<!-- Content Row -->
<div class="row">
<!-- Sidebar Column -->
<div class="col-md-3" id="tg-sb-sidebar">
<ul id="mysidebar" class="nav">
<li class="sidebarTitle">PMD 6.31.0-SNAPSHOT</li>
<li>
<a href="#">About</a>
<ul>
<li><a href="index.html">Home</a></li>
<li><a href="pmd_release_notes.html">Release notes</a></li>
<li><a href="pmd_next_major_development.html">PMD 7.0.0 development</a></li>
<li><a href="pmd_about_help.html">Getting help</a></li>
</ul>
</li>
<li>
<a href="#">User Documentation</a>
<ul>
<li><a href="pmd_userdocs_installation.html">Installation and basic CLI usage</a></li>
<li><a href="pmd_userdocs_making_rulesets.html">Making rulesets</a></li>
<li><a href="pmd_userdocs_configuring_rules.html">Configuring rules</a></li>
<li><a href="pmd_userdocs_best_practices.html">Best practices</a></li>
<li><a href="pmd_userdocs_suppressing_warnings.html">Suppressing warnings</a></li>
<li><a href="pmd_userdocs_incremental_analysis.html">Incremental analysis</a></li>
<li><a href="pmd_userdocs_cli_reference.html">PMD CLI reference</a></li>
<li><a href="pmd_userdocs_report_formats.html">PMD Report formats</a></li>
<li class="subfolders">
<a href="#">CPD reference</a>
<ul>
<li><a href="pmd_userdocs_cpd.html">Copy-paste detection</a></li>
<li><a href="pmd_userdocs_cpd_report_formats.html">CPD Report formats</a></li>
</ul>
</li>
<li class="subfolders">
<a href="#">Extending PMD</a>
<ul>
<li><a href="pmd_userdocs_extending_writing_rules_intro.html">Introduction to writing rules</a></li>
<li><a href="pmd_userdocs_extending_your_first_rule.html">Your first rule</a></li>
<li><a href="pmd_userdocs_extending_writing_xpath_rules.html">XPath rules</a></li>
<li><a href="pmd_userdocs_extending_writing_java_rules.html">Java rules</a></li>
<li><a href="pmd_userdocs_extending_designer_reference.html">Rule designer reference</a></li>
<li><a href="pmd_userdocs_extending_defining_properties.html">Defining rule properties</a></li>
<li><a href="pmd_userdocs_extending_metrics_howto.html">Using and defining code metrics</a></li>
<li><a href="pmd_userdocs_extending_rule_guidelines.html">Rule guidelines</a></li>
<li><a href="pmd_userdocs_extending_testing.html">Testing your rules</a></li>
</ul>
</li>
<li class="subfolders">
<a href="#">Tools / Integrations</a>
<ul>
<li><a href="pmd_userdocs_tools_maven.html">Maven PMD Plugin</a></li>
<li><a href="pmd_userdocs_tools_gradle.html">Gradle</a></li>
<li><a href="pmd_userdocs_tools_ant.html">Ant</a></li>
<li><a href="pmd_userdocs_tools_java_api.html">PMD Java API</a></li>
<li><a href="pmd_userdocs_tools_ci.html">CI integrations</a></li>
<li><a href="pmd_userdocs_tools.html">Other Tools / Integrations</a></li>
</ul>
</li>
</ul>
</li>
<li>
<a href="#">Rule Reference</a>
<ul>
<li class="subfolders">
<a href="#">Apex Rules</a>
<ul>
<li><a href="pmd_rules_apex.html">Index</a></li>
<li><a href="pmd_rules_apex_bestpractices.html">Best Practices</a></li>
<li><a href="pmd_rules_apex_codestyle.html">Code Style</a></li>
<li><a href="pmd_rules_apex_design.html">Design</a></li>
<li><a href="pmd_rules_apex_documentation.html">Documentation</a></li>
<li><a href="pmd_rules_apex_errorprone.html">Error Prone</a></li>
<li><a href="pmd_rules_apex_performance.html">Performance</a></li>
<li class="active"><a href="pmd_rules_apex_security.html">Security</a></li>
</ul>
</li>
<li class="subfolders">
<a href="#">Ecmascript Rules</a>
<ul>
<li><a href="pmd_rules_ecmascript.html">Index</a></li>
<li><a href="pmd_rules_ecmascript_bestpractices.html">Best Practices</a></li>
<li><a href="pmd_rules_ecmascript_codestyle.html">Code Style</a></li>
<li><a href="pmd_rules_ecmascript_errorprone.html">Error Prone</a></li>
</ul>
</li>
<li class="subfolders">
<a href="#">Java Rules</a>
<ul>
<li><a href="pmd_rules_java.html">Index</a></li>
<li><a href="pmd_rules_java_bestpractices.html">Best Practices</a></li>
<li><a href="pmd_rules_java_codestyle.html">Code Style</a></li>
<li><a href="pmd_rules_java_design.html">Design</a></li>
<li><a href="pmd_rules_java_documentation.html">Documentation</a></li>
<li><a href="pmd_rules_java_errorprone.html">Error Prone</a></li>
<li><a href="pmd_rules_java_multithreading.html">Multithreading</a></li>
<li><a href="pmd_rules_java_performance.html">Performance</a></li>
<li><a href="pmd_rules_java_security.html">Security</a></li>
</ul>
</li>
<li class="subfolders">
<a href="#">Java Server Pages Rules</a>
<ul>
<li><a href="pmd_rules_jsp.html">Index</a></li>
<li><a href="pmd_rules_jsp_bestpractices.html">Best Practices</a></li>
<li><a href="pmd_rules_jsp_codestyle.html">Code Style</a></li>
<li><a href="pmd_rules_jsp_design.html">Design</a></li>
<li><a href="pmd_rules_jsp_errorprone.html">Error Prone</a></li>
<li><a href="pmd_rules_jsp_security.html">Security</a></li>
</ul>
</li>
<li class="subfolders">
<a href="#">Maven POM Rules</a>
<ul>
<li><a href="pmd_rules_pom.html">Index</a></li>
<li><a href="pmd_rules_pom_errorprone.html">Error Prone</a></li>
</ul>
</li>
<li class="subfolders">
<a href="#">Modelica Rules</a>
<ul>
<li><a href="pmd_rules_modelica.html">Index</a></li>
<li><a href="pmd_rules_modelica_bestpractices.html">Best Practices</a></li>
</ul>
</li>
<li class="subfolders">
<a href="#">PLSQL Rules</a>
<ul>
<li><a href="pmd_rules_plsql.html">Index</a></li>
<li><a href="pmd_rules_plsql_bestpractices.html">Best Practices</a></li>
<li><a href="pmd_rules_plsql_codestyle.html">Code Style</a></li>
<li><a href="pmd_rules_plsql_design.html">Design</a></li>
<li><a href="pmd_rules_plsql_errorprone.html">Error Prone</a></li>
</ul>
</li>
<li class="subfolders">
<a href="#">Salesforce VisualForce Rules</a>
<ul>
<li><a href="pmd_rules_vf.html">Index</a></li>
<li><a href="pmd_rules_vf_security.html">Security</a></li>
</ul>
</li>
<li class="subfolders">
<a href="#">VM Rules</a>
<ul>
<li><a href="pmd_rules_vm.html">Index</a></li>
<li><a href="pmd_rules_vm_bestpractices.html">Best Practices</a></li>
<li><a href="pmd_rules_vm_design.html">Design</a></li>
<li><a href="pmd_rules_vm_errorprone.html">Error Prone</a></li>
</ul>
</li>
<li class="subfolders">
<a href="#">XML Rules</a>
<ul>
<li><a href="pmd_rules_xml.html">Index</a></li>
<li><a href="pmd_rules_xml_errorprone.html">Error Prone</a></li>
</ul>
</li>
<li class="subfolders">
<a href="#">XSL Rules</a>
<ul>
<li><a href="pmd_rules_xsl.html">Index</a></li>
<li><a href="pmd_rules_xsl_codestyle.html">Code Style</a></li>
<li><a href="pmd_rules_xsl_performance.html">Performance</a></li>
</ul>
</li>
</ul>
</li>
<li>
<a href="#">Language Specific Documentation</a>
<ul>
<li><a href="pmd_languages_jsp.html">JSP Support</a></li>
<li><a href="pmd_java_metrics_index.html">Java code metrics</a></li>
<li><a href="pmd_apex_metrics_index.html">Apex code metrics</a></li>
</ul>
</li>
<li>
<a href="#">Developer Documentation</a>
<ul>
<li><a href="pmd_devdocs_development.html">Developer resources</a></li>
<li><a href="pmd_devdocs_building.html">Building PMD from source</a></li>
<li><a href="https://github.com/pmd/pmd/blob/master/CONTRIBUTING.md" target="_blank">Contributing</a></li>
<li><a href="pmd_devdocs_writing_documentation.html">Writing documentation</a></li>
<li><a href="pmd_devdocs_roadmap.html">Roadmap</a></li>
<li><a href="pmd_devdocs_how_pmd_works.html">How PMD works</a></li>
<li><a href="pmd_devdocs_pmdtester.html">Pmdtester</a></li>
<li><a href="pmd_devdocs_rule_deprecation_policy.html">Rule Deprecation Policy</a></li>
<li class="subfolders">
<a href="#">Major contributions</a>
<ul>
<li><a href="pmd_devdocs_major_adding_new_language.html">Adding a new language</a></li>
<li><a href="pmd_devdocs_major_adding_new_cpd_language.html">Adding a new CPD language</a></li>
<li><a href="pmd_devdocs_major_adding_new_metrics_framework.html">Adding metrics support to a language</a></li>
</ul>
</li>
<li class="subfolders">
<a href="#">Experimental features</a>
<ul>
<li><a href="pmd_devdocs_experimental_ast_dump.html">Creating (XML) dump of the AST</a></li>
</ul>
</li>
</ul>
</li>
<li>
<a href="#">Project documentation</a>
<ul>
<li class="subfolders">
<a href="#">Trivia about PMD</a>
<ul>
<li><a href="pmd_projectdocs_trivia_news.html">PMD in the press</a></li>
<li><a href="pmd_projectdocs_trivia_products.html">Products & books related to PMD</a></li>
<li><a href="pmd_projectdocs_trivia_similarprojects.html">Similar projects</a></li>
<li><a href="pmd_projectdocs_trivia_meaning.html">What does 'PMD' mean?</a></li>
</ul>
</li>
<li><a href="pmd_projectdocs_faq.html">FAQ</a></li>
<li><a href="license.html">License</a></li>
<li><a href="pmd_projectdocs_credits.html">Credits</a></li>
<li><a href="pmd_release_notes_old.html">Old release notes</a></li>
<li class="subfolders">
<a href="#">Project management</a>
<ul>
<li><a href="pmd_projectdocs_committers_releasing.html">Release process</a></li>
<li><a href="pmd_projectdocs_committers_merging_pull_requests.html">Merging pull requests</a></li>
<li><a href="pmd_projectdocs_committers_main_landing_page.html">Main Landing page</a></li>
</ul>
</li>
</ul>
</li>
<!-- if you aren't using the accordion, uncomment this block:
<p class="external">
<a href="#" id="collapseAll">Collapse All</a> | <a href="#" id="expandAll">Expand All</a>
</p>
-->
</ul>
<!-- this highlights the active parent class in the navgoco sidebar. this is critical so that the parent expands when you're viewing a page. This must appear below the sidebar code above. Otherwise, if placed inside customscripts.js, the script runs before the sidebar code runs and the class never gets inserted.-->
<script>$("li.active").parents('li').toggleClass("active");</script>
</div>
<!-- Content Column -->
<div class="col-md-9" id="tg-sb-content">
<div class="post-header">
<h1 class="post-title-main">Security</h1>
</div>
<div class="post-content">
<div class="summary">Rules that flag potential security flaws.</div>
<!-- this handles the automatic toc. use ## for subheads to auto-generate the on-page minitoc. if you use html tags, you must supply an ID for the heading element in order for it to appear in the minitoc. -->
<script>
$( document ).ready(function() {
// Handler for .ready() called.
$('#toc').toc({ minimumHeaders: 0, listType: 'ul', showSpeed: 0, headers: 'h2,h3,h4' });
});
</script>
<div id="toc"></div>
<a target="_blank" href="https://github.com/pmd/pmd/blob/master/docs/../pmd-apex/src/main/resources/category/apex/security.xml" class="btn btn-default githubEditButton" role="button"><i class="fa fa-github fa-lg"></i> Edit me</a>
<!-- DO NOT EDIT THIS FILE. This file is generated from file ../pmd-apex/src/main/resources/category/apex/security.xml. -->
<h2 id="apexbadcrypto">ApexBadCrypto</h2>
<p><strong>Since:</strong> PMD 5.5.3</p>
<p><strong>Priority:</strong> Medium (3)</p>
<p>The rule makes sure you are using randomly generated IVs and keys for <code class="language-plaintext highlighter-rouge">Crypto</code> calls.
Hard-wiring these values greatly compromises the security of encrypted data.</p>
<p><strong>This rule is defined by the following Java class:</strong> <a href="https://github.com/pmd/pmd/blob/master/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexBadCryptoRule.java">net.sourceforge.pmd.lang.apex.rule.security.ApexBadCryptoRule</a></p>
<p><strong>Example(s):</strong></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">public</span> <span class="n">without</span> <span class="n">sharing</span> <span class="kd">class</span> <span class="nc">Foo</span> <span class="o">{</span>
<span class="nc">Blob</span> <span class="n">hardCodedIV</span> <span class="o">=</span> <span class="nc">Blob</span><span class="o">.</span><span class="na">valueOf</span><span class="o">(</span><span class="err">'</span><span class="nc">Hardcoded</span> <span class="no">IV</span> <span class="mi">123</span><span class="err">'</span><span class="o">);</span>
<span class="nc">Blob</span> <span class="n">hardCodedKey</span> <span class="o">=</span> <span class="nc">Blob</span><span class="o">.</span><span class="na">valueOf</span><span class="o">(</span><span class="err">'</span><span class="mo">0000000000000000</span><span class="err">'</span><span class="o">);</span>
<span class="nc">Blob</span> <span class="n">data</span> <span class="o">=</span> <span class="nc">Blob</span><span class="o">.</span><span class="na">valueOf</span><span class="o">(</span><span class="err">'</span><span class="nc">Data</span> <span class="n">to</span> <span class="n">be</span> <span class="n">encrypted</span><span class="err">'</span><span class="o">);</span>
<span class="nc">Blob</span> <span class="n">encrypted</span> <span class="o">=</span> <span class="nc">Crypto</span><span class="o">.</span><span class="na">encrypt</span><span class="o">(</span><span class="err">'</span><span class="no">AES128</span><span class="err">'</span><span class="o">,</span> <span class="n">hardCodedKey</span><span class="o">,</span> <span class="n">hardCodedIV</span><span class="o">,</span> <span class="n">data</span><span class="o">);</span>
<span class="o">}</span>
</code></pre></div></div>
<p><strong>This rule has the following properties:</strong></p>
<table>
<thead>
<tr>
<th>Name</th>
<th>Default Value</th>
<th>Description</th>
<th>Multivalued</th>
</tr>
</thead>
<tbody>
<tr>
<td>cc_categories</td>
<td>Security</td>
<td><span style="border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;">Deprecated</span> Code Climate Categories</td>
<td>yes. Delimiter is |.</td>
</tr>
<tr>
<td>cc_remediation_points_multiplier</td>
<td>100</td>
<td><span style="border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;">Deprecated</span> Code Climate Remediation Points multiplier</td>
<td>no</td>
</tr>
<tr>
<td>cc_block_highlighting</td>
<td>false</td>
<td><span style="border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;">Deprecated</span> Code Climate Block Highlighting</td>
<td>no</td>
</tr>
</tbody>
</table>
<p><strong>Use this rule with the default properties by just referencing it:</strong></p>
<div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt">&lt;rule</span> <span class="na">ref=</span><span class="s">"category/apex/security.xml/ApexBadCrypto"</span> <span class="nt">/&gt;</span>
</code></pre></div></div>
<h2 id="apexcrudviolation">ApexCRUDViolation</h2>
<p><strong>Since:</strong> PMD 5.5.3</p>
<p><strong>Priority:</strong> Medium (3)</p>
<p>The rule validates you are checking for access permissions before a SOQL/SOSL/DML operation.
Since Apex runs in system mode not having proper permissions checks results in escalation of
privilege and may produce runtime errors. This check forces you to handle such scenarios.</p>
<p><strong>This rule is defined by the following Java class:</strong> <a href="https://github.com/pmd/pmd/blob/master/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexCRUDViolationRule.java">net.sourceforge.pmd.lang.apex.rule.security.ApexCRUDViolationRule</a></p>
<p><strong>Example(s):</strong></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">Foo</span> <span class="o">{</span>
<span class="kd">public</span> <span class="nc">Contact</span> <span class="nf">foo</span><span class="o">(</span><span class="nc">String</span> <span class="n">status</span><span class="o">,</span> <span class="nc">String</span> <span class="no">ID</span><span class="o">)</span> <span class="o">{</span>
<span class="nc">Contact</span> <span class="n">c</span> <span class="o">=</span> <span class="o">[</span><span class="no">SELECT</span> <span class="n">Status__c</span> <span class="no">FROM</span> <span class="nc">Contact</span> <span class="no">WHERE</span> <span class="nc">Id</span><span class="o">=:</span><span class="no">ID</span><span class="o">];</span>
<span class="c1">// Make sure we can update the database before even trying</span>
<span class="k">if</span> <span class="o">(!</span><span class="nc">Schema</span><span class="o">.</span><span class="na">sObjectType</span><span class="o">.</span><span class="na">Contact</span><span class="o">.</span><span class="na">fields</span><span class="o">.</span><span class="na">Name</span><span class="o">.</span><span class="na">isUpdateable</span><span class="o">())</span> <span class="o">{</span>
<span class="k">return</span> <span class="kc">null</span><span class="o">;</span>
<span class="o">}</span>
<span class="n">c</span><span class="o">.</span><span class="na">Status__c</span> <span class="o">=</span> <span class="n">status</span><span class="o">;</span>
<span class="n">update</span> <span class="n">c</span><span class="o">;</span>
<span class="k">return</span> <span class="n">c</span><span class="o">;</span>
<span class="o">}</span>
<span class="o">}</span>
</code></pre></div></div>
<p><strong>This rule has the following properties:</strong></p>
<table>
<thead>
<tr>
<th>Name</th>
<th>Default Value</th>
<th>Description</th>
<th>Multivalued</th>
</tr>
</thead>
<tbody>
<tr>
<td>cc_categories</td>
<td>Security</td>
<td><span style="border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;">Deprecated</span> Code Climate Categories</td>
<td>yes. Delimiter is |.</td>
</tr>
<tr>
<td>cc_remediation_points_multiplier</td>
<td>100</td>
<td><span style="border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;">Deprecated</span> Code Climate Remediation Points multiplier</td>
<td>no</td>
</tr>
<tr>
<td>cc_block_highlighting</td>
<td>false</td>
<td><span style="border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;">Deprecated</span> Code Climate Block Highlighting</td>
<td>no</td>
</tr>
</tbody>
</table>
<p><strong>Use this rule with the default properties by just referencing it:</strong></p>
<div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt">&lt;rule</span> <span class="na">ref=</span><span class="s">"category/apex/security.xml/ApexCRUDViolation"</span> <span class="nt">/&gt;</span>
</code></pre></div></div>
<h2 id="apexcsrf">ApexCSRF</h2>
<p><span style="border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f;">Deprecated</span></p>
<p>The rule has been moved to another ruleset. Use instead: <a href="pmd_rules_apex_errorprone.html#apexcsrf">ApexCSRF</a></p>
<p><span style="border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f;">Deprecated</span></p>
<p><strong>Since:</strong> PMD 5.5.3</p>
<p><strong>Priority:</strong> Medium (3)</p>
<p>Having DML operations in Apex class constructor or initializers can have unexpected side effects:
By just accessing a page, the DML statements would be executed and the database would be modified.
Just querying the database is permitted.</p>
<p>In addition to constructors and initializers, any method called <code class="language-plaintext highlighter-rouge">init</code> is checked as well.</p>
<p>Salesforce Apex already protects against this scenario and raises a runtime exception.</p>
<p>Note: This rule has been moved from category "Security" to "Error Prone" with PMD 6.21.0, since
using DML in constructors is not a security problem, but crashes the application.</p>
<p><strong>This rule is defined by the following Java class:</strong> <a href="https://github.com/pmd/pmd/blob/master/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/errorprone/ApexCSRFRule.java">net.sourceforge.pmd.lang.apex.rule.errorprone.ApexCSRFRule</a></p>
<p><strong>Example(s):</strong></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">Foo</span> <span class="o">{</span>
<span class="c1">// initializer</span>
<span class="o">{</span>
<span class="n">insert</span> <span class="n">data</span><span class="o">;</span>
<span class="o">}</span>
<span class="c1">// static initializer</span>
<span class="kd">static</span> <span class="o">{</span>
<span class="n">insert</span> <span class="n">data</span><span class="o">;</span>
<span class="o">}</span>
<span class="c1">// constructor</span>
<span class="kd">public</span> <span class="nf">Foo</span><span class="o">()</span> <span class="o">{</span>
<span class="n">insert</span> <span class="n">data</span><span class="o">;</span>
<span class="o">}</span>
<span class="o">}</span>
</code></pre></div></div>
<p><strong>This rule has the following properties:</strong></p>
<table>
<thead>
<tr>
<th>Name</th>
<th>Default Value</th>
<th>Description</th>
<th>Multivalued</th>
</tr>
</thead>
<tbody>
<tr>
<td>cc_categories</td>
<td>Security</td>
<td><span style="border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;">Deprecated</span> Code Climate Categories</td>
<td>yes. Delimiter is |.</td>
</tr>
<tr>
<td>cc_remediation_points_multiplier</td>
<td>100</td>
<td><span style="border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;">Deprecated</span> Code Climate Remediation Points multiplier</td>
<td>no</td>
</tr>
<tr>
<td>cc_block_highlighting</td>
<td>false</td>
<td><span style="border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;">Deprecated</span> Code Climate Block Highlighting</td>
<td>no</td>
</tr>
</tbody>
</table>
<p><strong>Use this rule with the default properties by just referencing it:</strong></p>
<div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt">&lt;rule</span> <span class="na">ref=</span><span class="s">"category/apex/security.xml/ApexCSRF"</span> <span class="nt">/&gt;</span>
</code></pre></div></div>
<h2 id="apexdangerousmethods">ApexDangerousMethods</h2>
<p><strong>Since:</strong> PMD 5.5.3</p>
<p><strong>Priority:</strong> Medium (3)</p>
<p>Checks against calling dangerous methods.</p>
<p>For the time being, it reports:</p>
<ul>
<li>Against <code class="language-plaintext highlighter-rouge">FinancialForce</code>s <code class="language-plaintext highlighter-rouge">Configuration.disableTriggerCRUDSecurity()</code>. Disabling CRUD security
opens the door to several attacks and requires manual validation, which is unreliable.</li>
<li>Calling <code class="language-plaintext highlighter-rouge">System.debug</code> passing sensitive data as parameter, which could lead to exposure
of private data.</li>
</ul>
<p><strong>This rule is defined by the following Java class:</strong> <a href="https://github.com/pmd/pmd/blob/master/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexDangerousMethodsRule.java">net.sourceforge.pmd.lang.apex.rule.security.ApexDangerousMethodsRule</a></p>
<p><strong>Example(s):</strong></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">Foo</span> <span class="o">{</span>
<span class="kd">public</span> <span class="nf">Foo</span><span class="o">()</span> <span class="o">{</span>
<span class="nc">Configuration</span><span class="o">.</span><span class="na">disableTriggerCRUDSecurity</span><span class="o">();</span>
<span class="o">}</span>
<span class="o">}</span>
</code></pre></div></div>
<p><strong>This rule has the following properties:</strong></p>
<table>
<thead>
<tr>
<th>Name</th>
<th>Default Value</th>
<th>Description</th>
<th>Multivalued</th>
</tr>
</thead>
<tbody>
<tr>
<td>cc_categories</td>
<td>Security</td>
<td><span style="border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;">Deprecated</span> Code Climate Categories</td>
<td>yes. Delimiter is |.</td>
</tr>
<tr>
<td>cc_remediation_points_multiplier</td>
<td>100</td>
<td><span style="border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;">Deprecated</span> Code Climate Remediation Points multiplier</td>
<td>no</td>
</tr>
<tr>
<td>cc_block_highlighting</td>
<td>false</td>
<td><span style="border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;">Deprecated</span> Code Climate Block Highlighting</td>
<td>no</td>
</tr>
</tbody>
</table>
<p><strong>Use this rule with the default properties by just referencing it:</strong></p>
<div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt">&lt;rule</span> <span class="na">ref=</span><span class="s">"category/apex/security.xml/ApexDangerousMethods"</span> <span class="nt">/&gt;</span>
</code></pre></div></div>
<h2 id="apexinsecureendpoint">ApexInsecureEndpoint</h2>
<p><strong>Since:</strong> PMD 5.5.3</p>
<p><strong>Priority:</strong> Medium (3)</p>
<p>Checks against accessing endpoints under plain <strong>http</strong>. You should always use
<strong>https</strong> for security.</p>
<p><strong>This rule is defined by the following Java class:</strong> <a href="https://github.com/pmd/pmd/blob/master/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexInsecureEndpointRule.java">net.sourceforge.pmd.lang.apex.rule.security.ApexInsecureEndpointRule</a></p>
<p><strong>Example(s):</strong></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">public</span> <span class="n">without</span> <span class="n">sharing</span> <span class="kd">class</span> <span class="nc">Foo</span> <span class="o">{</span>
<span class="kt">void</span> <span class="nf">foo</span><span class="o">()</span> <span class="o">{</span>
<span class="nc">HttpRequest</span> <span class="n">req</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">HttpRequest</span><span class="o">();</span>
<span class="n">req</span><span class="o">.</span><span class="na">setEndpoint</span><span class="o">(</span><span class="err">'</span><span class="nl">http:</span><span class="c1">//localhost:com');</span>
<span class="o">}</span>
<span class="o">}</span>
</code></pre></div></div>
<p><strong>This rule has the following properties:</strong></p>
<table>
<thead>
<tr>
<th>Name</th>
<th>Default Value</th>
<th>Description</th>
<th>Multivalued</th>
</tr>
</thead>
<tbody>
<tr>
<td>cc_categories</td>
<td>Security</td>
<td><span style="border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;">Deprecated</span> Code Climate Categories</td>
<td>yes. Delimiter is |.</td>
</tr>
<tr>
<td>cc_remediation_points_multiplier</td>
<td>100</td>
<td><span style="border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;">Deprecated</span> Code Climate Remediation Points multiplier</td>
<td>no</td>
</tr>
<tr>
<td>cc_block_highlighting</td>
<td>false</td>
<td><span style="border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;">Deprecated</span> Code Climate Block Highlighting</td>
<td>no</td>
</tr>
</tbody>
</table>
<p><strong>Use this rule with the default properties by just referencing it:</strong></p>
<div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt">&lt;rule</span> <span class="na">ref=</span><span class="s">"category/apex/security.xml/ApexInsecureEndpoint"</span> <span class="nt">/&gt;</span>
</code></pre></div></div>
<h2 id="apexopenredirect">ApexOpenRedirect</h2>
<p><strong>Since:</strong> PMD 5.5.3</p>
<p><strong>Priority:</strong> Medium (3)</p>
<p>Checks against redirects to user-controlled locations. This prevents attackers from
redirecting users to phishing sites.</p>
<p><strong>This rule is defined by the following Java class:</strong> <a href="https://github.com/pmd/pmd/blob/master/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexOpenRedirectRule.java">net.sourceforge.pmd.lang.apex.rule.security.ApexOpenRedirectRule</a></p>
<p><strong>Example(s):</strong></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">public</span> <span class="n">without</span> <span class="n">sharing</span> <span class="kd">class</span> <span class="nc">Foo</span> <span class="o">{</span>
<span class="nc">String</span> <span class="n">unsafeLocation</span> <span class="o">=</span> <span class="nc">ApexPage</span><span class="o">.</span><span class="na">getCurrentPage</span><span class="o">().</span><span class="na">getParameters</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="err">'</span><span class="n">url_param</span><span class="err">'</span><span class="o">);</span>
<span class="nc">PageReference</span> <span class="nf">page</span><span class="o">()</span> <span class="o">{</span>
<span class="k">return</span> <span class="k">new</span> <span class="nf">PageReference</span><span class="o">(</span><span class="n">unsafeLocation</span><span class="o">);</span>
<span class="o">}</span>
<span class="o">}</span>
</code></pre></div></div>
<p><strong>This rule has the following properties:</strong></p>
<table>
<thead>
<tr>
<th>Name</th>
<th>Default Value</th>
<th>Description</th>
<th>Multivalued</th>
</tr>
</thead>
<tbody>
<tr>
<td>cc_categories</td>
<td>Security</td>
<td><span style="border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;">Deprecated</span> Code Climate Categories</td>
<td>yes. Delimiter is |.</td>
</tr>
<tr>
<td>cc_remediation_points_multiplier</td>
<td>100</td>
<td><span style="border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;">Deprecated</span> Code Climate Remediation Points multiplier</td>
<td>no</td>
</tr>
<tr>
<td>cc_block_highlighting</td>
<td>false</td>
<td><span style="border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;">Deprecated</span> Code Climate Block Highlighting</td>
<td>no</td>
</tr>
</tbody>
</table>
<p><strong>Use this rule with the default properties by just referencing it:</strong></p>
<div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt">&lt;rule</span> <span class="na">ref=</span><span class="s">"category/apex/security.xml/ApexOpenRedirect"</span> <span class="nt">/&gt;</span>
</code></pre></div></div>
<h2 id="apexsharingviolations">ApexSharingViolations</h2>
<p><strong>Since:</strong> PMD 5.5.3</p>
<p><strong>Priority:</strong> Medium (3)</p>
<p>Detect classes declared without explicit sharing mode if DML methods are used. This
forces the developer to take access restrictions into account before modifying objects.</p>
<p><strong>This rule is defined by the following Java class:</strong> <a href="https://github.com/pmd/pmd/blob/master/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexSharingViolationsRule.java">net.sourceforge.pmd.lang.apex.rule.security.ApexSharingViolationsRule</a></p>
<p><strong>Example(s):</strong></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">public</span> <span class="n">without</span> <span class="n">sharing</span> <span class="kd">class</span> <span class="nc">Foo</span> <span class="o">{</span>
<span class="c1">// DML operation here</span>
<span class="o">}</span>
</code></pre></div></div>
<p><strong>This rule has the following properties:</strong></p>
<table>
<thead>
<tr>
<th>Name</th>
<th>Default Value</th>
<th>Description</th>
<th>Multivalued</th>
</tr>
</thead>
<tbody>
<tr>
<td>cc_categories</td>
<td>Security</td>
<td><span style="border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;">Deprecated</span> Code Climate Categories</td>
<td>yes. Delimiter is |.</td>
</tr>
<tr>
<td>cc_remediation_points_multiplier</td>
<td>100</td>
<td><span style="border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;">Deprecated</span> Code Climate Remediation Points multiplier</td>
<td>no</td>
</tr>
<tr>
<td>cc_block_highlighting</td>
<td>false</td>
<td><span style="border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;">Deprecated</span> Code Climate Block Highlighting</td>
<td>no</td>
</tr>
</tbody>
</table>
<p><strong>Use this rule with the default properties by just referencing it:</strong></p>
<div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt">&lt;rule</span> <span class="na">ref=</span><span class="s">"category/apex/security.xml/ApexSharingViolations"</span> <span class="nt">/&gt;</span>
</code></pre></div></div>
<h2 id="apexsoqlinjection">ApexSOQLInjection</h2>
<p><strong>Since:</strong> PMD 5.5.3</p>
<p><strong>Priority:</strong> Medium (3)</p>
<p>Detects the usage of untrusted / unescaped variables in DML queries.</p>
<p><strong>This rule is defined by the following Java class:</strong> <a href="https://github.com/pmd/pmd/blob/master/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexSOQLInjectionRule.java">net.sourceforge.pmd.lang.apex.rule.security.ApexSOQLInjectionRule</a></p>
<p><strong>Example(s):</strong></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">Foo</span> <span class="o">{</span>
<span class="kd">public</span> <span class="kt">void</span> <span class="nf">test1</span><span class="o">(</span><span class="nc">String</span> <span class="n">t1</span><span class="o">)</span> <span class="o">{</span>
<span class="nc">Database</span><span class="o">.</span><span class="na">query</span><span class="o">(</span><span class="err">'</span><span class="no">SELECT</span> <span class="nc">Id</span> <span class="no">FROM</span> <span class="nc">Account</span><span class="err">'</span> <span class="o">+</span> <span class="n">t1</span><span class="o">);</span>
<span class="o">}</span>
<span class="o">}</span>
</code></pre></div></div>
<p><strong>This rule has the following properties:</strong></p>
<table>
<thead>
<tr>
<th>Name</th>
<th>Default Value</th>
<th>Description</th>
<th>Multivalued</th>
</tr>
</thead>
<tbody>
<tr>
<td>cc_categories</td>
<td>Security</td>
<td><span style="border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;">Deprecated</span> Code Climate Categories</td>
<td>yes. Delimiter is |.</td>
</tr>
<tr>
<td>cc_remediation_points_multiplier</td>
<td>100</td>
<td><span style="border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;">Deprecated</span> Code Climate Remediation Points multiplier</td>
<td>no</td>
</tr>
<tr>
<td>cc_block_highlighting</td>
<td>false</td>
<td><span style="border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;">Deprecated</span> Code Climate Block Highlighting</td>
<td>no</td>
</tr>
</tbody>
</table>
<p><strong>Use this rule with the default properties by just referencing it:</strong></p>
<div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt">&lt;rule</span> <span class="na">ref=</span><span class="s">"category/apex/security.xml/ApexSOQLInjection"</span> <span class="nt">/&gt;</span>
</code></pre></div></div>
<h2 id="apexsuggestusingnamedcred">ApexSuggestUsingNamedCred</h2>
<p><strong>Since:</strong> PMD 5.5.3</p>
<p><strong>Priority:</strong> Medium (3)</p>
<p>Detects hardcoded credentials used in requests to an endpoint.</p>
<p>You should refrain from hardcoding credentials:</p>
<ul>
<li>They are hard to mantain by being mixed in application code</li>
<li>Particularly hard to update them when used from different classes</li>
<li>Granting a developer access to the codebase means granting knowledge
of credentials, keeping a two-level access is not possible.</li>
<li>Using different credentials for different environments is troublesome
and error-prone.</li>
</ul>
<p>Instead, you should use <em>Named Credentials</em> and a callout endpoint.</p>
<p>For more information, you can check <a href="https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_callouts_named_credentials.htm">this</a></p>
<p><strong>This rule is defined by the following Java class:</strong> <a href="https://github.com/pmd/pmd/blob/master/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexSuggestUsingNamedCredRule.java">net.sourceforge.pmd.lang.apex.rule.security.ApexSuggestUsingNamedCredRule</a></p>
<p><strong>Example(s):</strong></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">Foo</span> <span class="o">{</span>
<span class="kd">public</span> <span class="kt">void</span> <span class="nf">foo</span><span class="o">(</span><span class="nc">String</span> <span class="n">username</span><span class="o">,</span> <span class="nc">String</span> <span class="n">password</span><span class="o">)</span> <span class="o">{</span>
<span class="nc">Blob</span> <span class="n">headerValue</span> <span class="o">=</span> <span class="nc">Blob</span><span class="o">.</span><span class="na">valueOf</span><span class="o">(</span><span class="n">username</span> <span class="o">+</span> <span class="sc">':'</span> <span class="o">+</span> <span class="n">password</span><span class="o">);</span>
<span class="nc">String</span> <span class="n">authorizationHeader</span> <span class="o">=</span> <span class="err">'</span><span class="no">BASIC</span> <span class="err">'</span> <span class="o">+</span> <span class="nc">EncodingUtil</span><span class="o">.</span><span class="na">base64Encode</span><span class="o">(</span><span class="n">headerValue</span><span class="o">);</span>
<span class="n">req</span><span class="o">.</span><span class="na">setHeader</span><span class="o">(</span><span class="err">'</span><span class="nc">Authorization</span><span class="err">'</span><span class="o">,</span> <span class="n">authorizationHeader</span><span class="o">);</span>
<span class="o">}</span>
<span class="o">}</span>
</code></pre></div></div>
<p><strong>This rule has the following properties:</strong></p>
<table>
<thead>
<tr>
<th>Name</th>
<th>Default Value</th>
<th>Description</th>
<th>Multivalued</th>
</tr>
</thead>
<tbody>
<tr>
<td>cc_categories</td>
<td>Security</td>
<td><span style="border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;">Deprecated</span> Code Climate Categories</td>
<td>yes. Delimiter is |.</td>
</tr>
<tr>
<td>cc_remediation_points_multiplier</td>
<td>100</td>
<td><span style="border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;">Deprecated</span> Code Climate Remediation Points multiplier</td>
<td>no</td>
</tr>
<tr>
<td>cc_block_highlighting</td>
<td>false</td>
<td><span style="border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;">Deprecated</span> Code Climate Block Highlighting</td>
<td>no</td>
</tr>
</tbody>
</table>
<p><strong>Use this rule with the default properties by just referencing it:</strong></p>
<div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt">&lt;rule</span> <span class="na">ref=</span><span class="s">"category/apex/security.xml/ApexSuggestUsingNamedCred"</span> <span class="nt">/&gt;</span>
</code></pre></div></div>
<h2 id="apexxssfromescapefalse">ApexXSSFromEscapeFalse</h2>
<p><strong>Since:</strong> PMD 5.5.3</p>
<p><strong>Priority:</strong> Medium (3)</p>
<p>Reports on calls to <code class="language-plaintext highlighter-rouge">addError</code> with disabled escaping. The message passed to <code class="language-plaintext highlighter-rouge">addError</code>
will be displayed directly to the user in the UI, making it prime ground for XSS
attacks if unescaped.</p>
<p><strong>This rule is defined by the following Java class:</strong> <a href="https://github.com/pmd/pmd/blob/master/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexXSSFromEscapeFalseRule.java">net.sourceforge.pmd.lang.apex.rule.security.ApexXSSFromEscapeFalseRule</a></p>
<p><strong>Example(s):</strong></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">public</span> <span class="n">without</span> <span class="n">sharing</span> <span class="kd">class</span> <span class="nc">Foo</span> <span class="o">{</span>
<span class="nc">Trigger</span><span class="o">.</span><span class="na">new</span><span class="o">[</span><span class="mi">0</span><span class="o">].</span><span class="na">addError</span><span class="o">(</span><span class="n">vulnerableHTMLGoesHere</span><span class="o">,</span> <span class="kc">false</span><span class="o">);</span>
<span class="o">}</span>
</code></pre></div></div>
<p><strong>This rule has the following properties:</strong></p>
<table>
<thead>
<tr>
<th>Name</th>
<th>Default Value</th>
<th>Description</th>
<th>Multivalued</th>
</tr>
</thead>
<tbody>
<tr>
<td>cc_categories</td>
<td>Security</td>
<td><span style="border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;">Deprecated</span> Code Climate Categories</td>
<td>yes. Delimiter is |.</td>
</tr>
<tr>
<td>cc_remediation_points_multiplier</td>
<td>100</td>
<td><span style="border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;">Deprecated</span> Code Climate Remediation Points multiplier</td>
<td>no</td>
</tr>
<tr>
<td>cc_block_highlighting</td>
<td>false</td>
<td><span style="border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;">Deprecated</span> Code Climate Block Highlighting</td>
<td>no</td>
</tr>
</tbody>
</table>
<p><strong>Use this rule with the default properties by just referencing it:</strong></p>
<div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt">&lt;rule</span> <span class="na">ref=</span><span class="s">"category/apex/security.xml/ApexXSSFromEscapeFalse"</span> <span class="nt">/&gt;</span>
</code></pre></div></div>
<h2 id="apexxssfromurlparam">ApexXSSFromURLParam</h2>
<p><strong>Since:</strong> PMD 5.5.3</p>
<p><strong>Priority:</strong> Medium (3)</p>
<p>Makes sure that all values obtained from URL parameters are properly escaped / sanitized
to avoid XSS attacks.</p>
<p><strong>This rule is defined by the following Java class:</strong> <a href="https://github.com/pmd/pmd/blob/master/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexXSSFromURLParamRule.java">net.sourceforge.pmd.lang.apex.rule.security.ApexXSSFromURLParamRule</a></p>
<p><strong>Example(s):</strong></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">public</span> <span class="n">without</span> <span class="n">sharing</span> <span class="kd">class</span> <span class="nc">Foo</span> <span class="o">{</span>
<span class="nc">String</span> <span class="n">unescapedstring</span> <span class="o">=</span> <span class="nc">ApexPage</span><span class="o">.</span><span class="na">getCurrentPage</span><span class="o">().</span><span class="na">getParameters</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="err">'</span><span class="n">url_param</span><span class="err">'</span><span class="o">);</span>
<span class="nc">String</span> <span class="n">usedLater</span> <span class="o">=</span> <span class="n">unescapedstring</span><span class="o">;</span>
<span class="o">}</span>
</code></pre></div></div>
<p><strong>This rule has the following properties:</strong></p>
<table>
<thead>
<tr>
<th>Name</th>
<th>Default Value</th>
<th>Description</th>
<th>Multivalued</th>
</tr>
</thead>
<tbody>
<tr>
<td>cc_categories</td>
<td>Security</td>
<td><span style="border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;">Deprecated</span> Code Climate Categories</td>
<td>yes. Delimiter is |.</td>
</tr>
<tr>
<td>cc_remediation_points_multiplier</td>
<td>50</td>
<td><span style="border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;">Deprecated</span> Code Climate Remediation Points multiplier</td>
<td>no</td>
</tr>
<tr>
<td>cc_block_highlighting</td>
<td>false</td>
<td><span style="border-radius: 0.25em; color: #fff; padding: 0.2em 0.6em 0.3em; display: inline; background-color: #d9534f; font-size: 75%;">Deprecated</span> Code Climate Block Highlighting</td>
<td>no</td>
</tr>
</tbody>
</table>
<p><strong>Use this rule with the default properties by just referencing it:</strong></p>
<div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt">&lt;rule</span> <span class="na">ref=</span><span class="s">"category/apex/security.xml/ApexXSSFromURLParam"</span> <span class="nt">/&gt;</span>
</code></pre></div></div>
<div class="tags">
</div>
</div>
<hr class="shaded"/>
<footer>
<div class="row">
<div class="col-lg-12 footer">
&copy;2021 PMD Open Source Project. All rights reserved. <br />
Site last generated: Jan 17, 2021 <br />
<p><img src="images/pmd-logo-small.png" alt="Company logo"/></p>
</div>
</div>
</footer>
</div>
<!-- /.row -->
</div>
<!-- /.container -->
</div>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink