Check sharing level for queries

This product is not supported for your selected Datadog site. ().

Metadata

ID: apex-security/sharing-level-for-query

Language: Apex

Severity: Notice

Category: Security

CWE: 284

Description

It is recommended to use with sharing by default to respect the organization’s sharing rules. The mode without sharing should be used cautiously, only when elevated access is necessary, such as allowing community users to view certain records. inherited sharing is ideal for service classes that need to adapt to the calling context’s sharing mode.

Review your code carefully

  • Does this code access or modify restricted records?
  • Could this code be executed by users who should not have access to those records?
  • If the class is marked inherited sharing, could it be invoked by a class marked without sharing?

If you answered yes to any of these, there is a security risk.

  • Prefer with sharing whenever possible.
  • Use without sharing only after confirming the code cannot be accessed by unauthorized users.
  • Use inherited sharing only if all calling classes marked without sharing are verified as safe.

Learn more

Non-Compliant Code Examples

public without sharing class MyClass {
  public void test() {
    // SOSL query
    List<List<SObject>> searchList = [
        FIND 'Acme*' 
        IN ALL FIELDS 
        RETURNING Account(Id, Name), Contact(Id, FirstName, LastName), Opportunity(Id, Name)
    ];

    List<Account> accounts = (List<Account>) searchList[0];
    List<Contact> contacts = (List<Contact>) searchList[1];
    List<Opportunity> opportunities = (List<Opportunity>) searchList[2];

    System.debug('Accounts found: ' + accounts);
    System.debug('Contacts found: ' + contacts);
    System.debug('Opportunities found: ' + opportunities);
  }
}

public without sharing class MyClass {
  public testAccount {
    Account acc = new Account(Name = 'Big Corp');
    // dml expression
    insert acc;

    acc.Name = 'Acme Corp - Updated';
    update acc;

    delete acc;
  }
}

public inherited sharing class MyClass {
  public List<String> getAllNames() {
    return [SELECT Name FROM Contact];
  }
}

public without sharing class MyClass {
  public List<String> getAllNames() {
    return [SELECT Name FROM Contact];
  }
}

Compliant Code Examples

public with sharing class MyClass {
  public List<String> getAllNames() {
    return [SELECT Name FROM Contact];
  }
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Security

Datadog Code Security