Classes with SOQL queries must specify sharing level

Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST Rules > Classes with SOQL queries must specify sharing level

Metadata

ID: apex-security/class-sharing-level

Language: Apex

Severity: Warning

Category: Security

CWE: 284

Description

This rule ensures that any Apex class that use SOQL or SOSL declares its sharing mode using one of the keywords: with sharing, without sharing, or inherited sharing. Specifying the sharing level is crucial because it controls whether the class respects the current user’s record-level access permissions when accessing Salesforce data. Without an explicit sharing declaration, the default behavior can lead to unintended data exposure or security issues.

Note that exception classes and classes without any SOQL queries are exempt from this rule, as they do not directly access Salesforce records. Following this best practice ensures that your Apex code respects organizational security policies and prevents accidental data leaks.

Learn More

Sharing definitions

Non-Compliant Code Examples

global class MyGlobalClass {
  public List<Contact> getAllTheSecrets() {
    return [SELECT Name FROM Contact];
  }
}

public abstract class MyClass {
  public void foo(){
  }

  // SOQL query
  public List<Contact> getAllTheSecrets() {
    return [SELECT Name FROM Contact];
  }
}

public class MyClass {
  public void foo(){
    // SOSL query
    List<List<SObject>> results = [
        FIND 'acme*' IN ALL FIELDS
        RETURNING
            Account(Id, Name, Industry LIMIT 5),
            Contact(Id, Name, Email LIMIT 5),
            Case(Id, CaseNumber, Subject ORDER BY CreatedDate DESC LIMIT 5)
    ];

    List<Account> accounts = (List<Account>) results[0];
    List<Contact> contacts = (List<Contact>) results[1];
    List<Case>    cases    = (List<Case>)    results[2];
  }
}

Compliant Code Examples

public class MyClass {
  private void bar(){
  }
}

public without sharing abstract class MyClass {
  public List<Contact> getAllTheSecrets() {
    return [SELECT Name FROM Contact];
  }
}

public with sharing abstract class MyClass {
  public List<Contact> getAllTheSecrets() {
    return [SELECT Name FROM Contact];
  }
}

public class MyException extends Exception {
  public List<Contact> getAllTheSecrets() {
    return [SELECT Name FROM Contact];
  }
}

public inherited sharing class MyClass {
  public List<Contact> getAllTheSecrets() {
    return [SELECT Name FROM Contact];
  }
}