Check sharing level for queries

This product is not supported for your selected Datadog site. ().
이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

ID: apex-security/sharing-level-for-query

Language: Apex

Severity: Notice

Category: Security

CWE: 284

Description

It is recommended to use with sharing by default to respect the organization’s sharing rules. The mode without sharing should be used cautiously, only when elevated access is necessary, such as allowing community users to view certain records. inherited sharing is ideal for service classes that need to adapt to the calling context’s sharing mode.

Review your code carefully

  • Does this code access or modify restricted records?
  • Could this code be executed by users who should not have access to those records?
  • If the class is marked inherited sharing, could it be invoked by a class marked without sharing?

If you answered yes to any of these, there is a security risk.

  • Prefer with sharing whenever possible.
  • Use without sharing only after confirming the code cannot be accessed by unauthorized users.
  • Use inherited sharing only if all calling classes marked without sharing are verified as safe.

Learn more

Non-Compliant Code Examples

public without sharing class MyClass {
  public void test() {
    // SOSL query
    List<List<SObject>> searchList = [
        FIND 'Acme*' 
        IN ALL FIELDS 
        RETURNING Account(Id, Name), Contact(Id, FirstName, LastName), Opportunity(Id, Name)
    ];

    List<Account> accounts = (List<Account>) searchList[0];
    List<Contact> contacts = (List<Contact>) searchList[1];
    List<Opportunity> opportunities = (List<Opportunity>) searchList[2];

    System.debug('Accounts found: ' + accounts);
    System.debug('Contacts found: ' + contacts);
    System.debug('Opportunities found: ' + opportunities);
  }
}

public without sharing class MyClass {
  public testAccount {
    Account acc = new Account(Name = 'Big Corp');
    // dml expression
    insert acc;

    acc.Name = 'Acme Corp - Updated';
    update acc;

    delete acc;
  }
}

public inherited sharing class MyClass {
  public List<String> getAllNames() {
    return [SELECT Name FROM Contact];
  }
}

public without sharing class MyClass {
  public List<String> getAllNames() {
    return [SELECT Name FROM Contact];
  }
}

Compliant Code Examples

public with sharing class MyClass {
  public List<String> getAllNames() {
    return [SELECT Name FROM Contact];
  }
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

원활한 통합. Datadog Code Security를 경험해 보세요

Datadog Code Security