Prevent SOQL injection

문서 > Datadog 보안 > Code Security > Static Code Analysis (SAST) > SAST 규칙 > Prevent SOQL injection

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

ID: apex-security/soql-injection

Language: Apex

Severity: Warning

Category: Security

CWE: 89

Description

This rule aims to prevent SOQL injection vulnerabilities in Apex code. SOQL injection occurs when untrusted user input is concatenated directly into dynamic SOQL queries, potentially allowing attackers to manipulate the query and access or modify unauthorized data. This can lead to serious security risks including data leakage or corruption.

To avoid SOQL injection, always sanitize user inputs before incorporating them into dynamic SOQL queries. The recommended approach is to use the String.escapeSingleQuotes() method on any string variables that are concatenated into query strings. This method escapes special characters that could alter the intended query structure.

Non-Compliant Code Examples

public class ApexClass {
	public void method(String foo) {
		Database.query('SELECT Id FROM Account' + foo);
	}
}

public class ApexClass {
	public void method(String foo) {
		String bar = foo;
		Database.query('SELECT Id FROM Account' + bar);
	}
}

public class ApexClass {
	public void method(Integer i1, String s1, Integer s2) {
		Database.query('SELECT Id FROM Account' + s1);
	}

}

public class ApexClass {
	public static List<Person> findPerson(String table, String name) {
		List<Person> results = Database.query(
			'SELECT Id, Name ' +
				'FROM ' + objectName + ' ' +
				'WHERE Name LIKE \'%' + String.escapeSingleQuotes(searchKey)
		);

		return results;
	}
}

Compliant Code Examples

public class ApexClass {
	public void method(String bar) {
		String foo = String.escapeSingleQuotes(bar);
		Database.query('SELECT Id FROM Account' + foo);
	}
}

public class ApexClass {
	public void method(String foo) {
		String bar = foo;
		String baz = String.escapeSingleQuotes(bar);
		Database.query('SELECT Id FROM Account' + baz);
	}
}

public class ApexClass {
	public void method(Integer arg1, String arg2, Integer arg3) {
		String foobar = String.escapeSingleQuotes(arg2);
		Database.query('SELECT Id FROM Account' + foobar);
	}
}

public class ApexClass {

	public void method(Integer arg1, String arg2, Integer arg3) {
		String str = arg2;
		String foobar = String.escapeSingleQuotes(str);
		Database.query('SELECT Id FROM Account' + foobar);
	}

}