[SalesForce] How to avoid SOQL/SOSL Injection security review issue

I am facing following security review issue.

I am getting SOQL/SOSL security review issue for the below format of code:

String whereclause -> name = 'test'; //assume whereclause entered by user

String str = 'select id from account where' + whereclause; 

System.debug(str); //---> select id from account where name = 'test'

Database.query(strEsc);

I have tried to solve this issue using String.escapesingleQuote method but I am getting

no viable alternative at character '\' error.

Please see the code below:

String whereclause -> name = 'test'; //assume whereclause entered by user

String str = 'select id from account where' + whereclause; 

System.debug(str); //---> select id from account where name = 'test'

String strEsc = String.escapeSingleQuotes(str);  //-->select id from account where name = \'test\'

Database.query(strEsc); //Error ( no viable alternative at character '\')

It's not a code issue as much as it is a design issue.

Yes @martin, you are correct.

To handle SOQL injections we have changed design something like this:

In our page, we are also planning to display filter criteria as it is like this. I will create a UI in such away that user able to choose Field, Operator and Value. In code level will use these variables escapeSingleQuotes method.

My question here is, Is this design will resolve SOQL injection issue?

Thanks

Best Answer

Here is an example. You will have to pretty it up but it shows how entering:

Name = 'test'

into the where clause causes errors with the escaped query but not the unescaped

Controller

public class SOQLInjectionTest{


    public string whereClause{
        get{
            return whereClause;
        }
        set;
    }

    public Account[] accts {get;set;}

    public string queryStringBasic{

       get{
           return 'Select ID From Account Where ' + whereClause;
       }
       set;

    }

    public string queryStringEscaped{

       get{
           return 'Select ID From Account Where ' + string.escapeSingleQuotes(whereClause);
       }
       set;

   }

   public void basicQuery(){
       accts = database.query(queryStringBasic); 

   }

   public void escapedQuery(){
       accts = database.query(queryStringEscaped); 
   }


}

VF Page (Needs prettied up but you get the point)

<apex:page controller="SOQLInjectionTest">


<apex:pageMessages id="msgs"/>


<apex:form >
    Enter Where Clause <apex:inputText value="{!whereClause}"/>
    <apex:commandButton value="No Escape Query" action="{!basicQuery}" rerender="msgs,opt_pnl"/>
    <apex:commandButton value="Escape Query" action="{!escapedQuery}" rerender="msgs,opt_pnl"/>


    <apex:outPutpanel id="opt_pnl" layout="block">
        Account: {!accts}
        Where Clause: {!whereClause}
    </apex:outPutPanel>
</apex:form>



</apex:page>

So given this how are we supposed to prevent injection. Or is this use case just a great example of what we should NOT be doing?

The examples provided here https://developer.salesforce.com/docs/atlas.en-us.pages.meta/pages/pages_security_tips_soql_injection.htm as a way to test injection results with injection: `test%') OR (Name LIKE '.

So does it depend on how the query is structured? It would seem that there is not a need to escape when you are constructing an entire where clause....but then you are leaving the query wide open anyway.....hmmmmm

So I guess you are left with trying to justify it and ensure you are only returning records the user has access to. `

Related Solutions

[SalesForce] Getting SOQL/SOSL Injection error when I send the code for security review

Dynamic SOQL will not pass the security review. Your code is pretty safe because the end user has no possible way of injecting anything into the query.

From here

If you must use dynamic SOQL, use the escapeSingleQuotes method to sanitize user-supplied input. This method adds the escape character (\) to all single quotation marks in a string that is passed in from a user. The method ensures that all single quotation marks are treated as enclosing strings, instead of database commands.

You will need to call escapeSingleQuotes on the entire query string. The security scanner is not smart enough to know that you have already called it on the only variable that can change in your query. You should be doing this:

eventList = database.query(String.escapeSingleQuotes(queryString));

[SalesForce] countQuery() returns System.QueryException: unexpected token: ‘:’

There's really no reason that you need to do all that fancy footwork. You can just trust the system to tell you what you need to know. Here's an implementation that I whipped up for you:

public class Utils {
    static Boolean validId(String recordIdString) {
        try {
            Id recordId = (Id)recordIdString;
            String sobjectName = String.valueOf(recordId.getSObjectType());
            return Database.countQuery('SELECT COUNT() FROM '+sobjectName+' WHERE Id = :recordId') > 0;
        } catch(Exception e) {
            return false;
        }
    }
}

I've also posted this as a gist.

The try-catch block will catch the TypeException if it's not a valid Id (from the cast), or a NullPointerException if it's a null Id, and possibly a QueryException if the Id points to an object that can't be queried (rare, but they are there).

I'm pretty sure that even the automated scanner won't give you a red flag for this code, but even if it did, a simple review should clearly identify that no injection is possible as long as it's used in the appropriate sharing context; user-facing code should be "with sharing" to prevent leaking Id values they should't know about.

You can actually do this without a try-catch as well:

static Boolean validId(String recordIdString) {
    return recordIdString instanceOf Id &&
         Id.valueOf(recordIdString).getSObjectType().getDescribe().isQueryable() &&
         0 < Database.countQuery(
             'SELECT COUNT() FROM '+
             String.valueOf(Id.valueOf(recordIdString).getSObjectType())+
             ' WHERE Id = :recordIdString');
    }
}

I find this to be a little less readable, but is Exception-free and probably better for performance.

Note: Id.valueOf is broken in older versions of the API, so make sure you're using a recent version of the API for your class (e.g. version 37.0).

Best Answer

Related Solutions

[SalesForce] Getting SOQL/SOSL Injection error when I send the code for security review

[SalesForce] countQuery() returns System.QueryException: unexpected token: ‘:’

Related Topic