[SalesForce] Getting SOQL/SOSL Injection error when I send the code for security review

I have send my code for security review I am getting error for SOQL/SOSL Injection. I have made the changes on the bases they have mention in report. But even I am getting issue with dynamic soql I am doing in my code. My updated code :

    string userId = String.escapeSingleQuotes(UserInfo.getUserId());        
    String queryString = 'Select Conference_Call__c,Conference_Call_Info_Details__c,Meeting_Date__c,Id,Meeting_Id__c,StartDateTime__c,EndDateTime__c,Subject__c,Type__c,Conference_Call_Info__c from GoTo_Meeting__c where OwnerId= :userId';       


    if(optionSelected == 'Meeting History')
        queryString +=' and StartDateTime__c < Today'; 
    else if(optionSelected == 'Upcoming Meetings')
        queryString +=' and StartDateTime__c > Today'; 
    else
        queryString +=' and StartDateTime__c = ' +optionSelected; 

    queryString += ' order By ' + sortFullExp;
    queryString += ' Limit 1000';        
    eventList = database.query(queryString);

security review is displaying the SOQL/SOSL Injection error on eventList = database.query(queryString);
Can anyone please help me to solve this issue.

Best Answer

Dynamic SOQL will not pass the security review. Your code is pretty safe because the end user has no possible way of injecting anything into the query.

From here

If you must use dynamic SOQL, use the escapeSingleQuotes method to sanitize user-supplied input. This method adds the escape character (\) to all single quotation marks in a string that is passed in from a user. The method ensures that all single quotation marks are treated as enclosing strings, instead of database commands.

You will need to call escapeSingleQuotes on the entire query string. The security scanner is not smart enough to know that you have already called it on the only variable that can change in your query. You should be doing this:

eventList = database.query(String.escapeSingleQuotes(queryString));

Related Solutions

[SalesForce] How to avoid SOQL/SOSL Injection security review issue

Here is an example. You will have to pretty it up but it shows how entering:

Name = 'test'

into the where clause causes errors with the escaped query but not the unescaped

Controller

public class SOQLInjectionTest{


    public string whereClause{
        get{
            return whereClause;
        }
        set;
    }

    public Account[] accts {get;set;}

    public string queryStringBasic{

       get{
           return 'Select ID From Account Where ' + whereClause;
       }
       set;

    }

    public string queryStringEscaped{

       get{
           return 'Select ID From Account Where ' + string.escapeSingleQuotes(whereClause);
       }
       set;

   }

   public void basicQuery(){
       accts = database.query(queryStringBasic); 

   }

   public void escapedQuery(){
       accts = database.query(queryStringEscaped); 
   }


}

VF Page (Needs prettied up but you get the point)

<apex:page controller="SOQLInjectionTest">


<apex:pageMessages id="msgs"/>


<apex:form >
    Enter Where Clause <apex:inputText value="{!whereClause}"/>
    <apex:commandButton value="No Escape Query" action="{!basicQuery}" rerender="msgs,opt_pnl"/>
    <apex:commandButton value="Escape Query" action="{!escapedQuery}" rerender="msgs,opt_pnl"/>


    <apex:outPutpanel id="opt_pnl" layout="block">
        Account: {!accts}
        Where Clause: {!whereClause}
    </apex:outPutPanel>
</apex:form>



</apex:page>

So given this how are we supposed to prevent injection. Or is this use case just a great example of what we should NOT be doing?

The examples provided here https://developer.salesforce.com/docs/atlas.en-us.pages.meta/pages/pages_security_tips_soql_injection.htm as a way to test injection results with injection: `test%') OR (Name LIKE '.

So does it depend on how the query is structured? It would seem that there is not a need to escape when you are constructing an entire where clause....but then you are leaving the query wide open anyway.....hmmmmm

So I guess you are left with trying to justify it and ensure you are only returning records the user has access to. `

[SalesForce] Prevent SOQL Injection in Your Code

I see a few things wrong with your code. The first is, you're not utilizing the type casting that the challenge talks about. Try changing the "numberOne" member variable to an Integer and using the appropriate type casting in stringSearchThree.

I also added checks into stringSearchThree to check whether the comparison operator is < or >. I'm not sure if you need that piece or not.

Last, some of the checks are case sensitive, so make sure you update all the occurrences of string.escapeSingleQuotes to String.escapeSingleQuotes

Best Answer

Related Solutions

[SalesForce] How to avoid SOQL/SOSL Injection security review issue

[SalesForce] Prevent SOQL Injection in Your Code

Related Topic