This rule aims to prevent SOQL injection vulnerabilities in Apex code. SOQL injection occurs when untrusted user input is concatenated directly into dynamic SOQL queries, potentially allowing attackers to manipulate the query and access or modify unauthorized data. This can lead to serious security risks including data leakage or corruption.
To avoid SOQL injection, always sanitize user inputs before incorporating them into dynamic SOQL queries. The recommended approach is to use the String.escapeSingleQuotes() method on any string variables that are concatenated into query strings. This method escapes special characters that could alter the intended query structure.
Non-Compliant Code Examples
public class ApexClass {
public void method(String foo) {
Database.query('SELECT Id FROM Account' + foo);
}
}
public class ApexClass {
public void method(String foo) {
String bar = foo;
Database.query('SELECT Id FROM Account' + bar);
}
}
public class ApexClass {
public void method(Integer i1, String s1, Integer s2) {
Database.query('SELECT Id FROM Account' + s1);
}
}
public class ApexClass {
public static List<Person> findPerson(String table, String name) {
List<Person> results = Database.query(
'SELECT Id, Name ' +
'FROM ' + objectName + ' ' +
'WHERE Name LIKE \'%' + String.escapeSingleQuotes(searchKey)
);
return results;
}
}
Compliant Code Examples
public class ApexClass {
public void method(String bar) {
String foo = String.escapeSingleQuotes(bar);
Database.query('SELECT Id FROM Account' + foo);
}
}
public class ApexClass {
public void method(String foo) {
String bar = foo;
String baz = String.escapeSingleQuotes(bar);
Database.query('SELECT Id FROM Account' + baz);
}
}
public class ApexClass {
public void method(Integer arg1, String arg2, Integer arg3) {
String foobar = String.escapeSingleQuotes(arg2);
Database.query('SELECT Id FROM Account' + foobar);
}
}
public class ApexClass {
public void method(Integer arg1, String arg2, Integer arg3) {
String str = arg2;
String foobar = String.escapeSingleQuotes(str);
Database.query('SELECT Id FROM Account' + foobar);
}
}
Seamless integrations. Try Datadog Code Security
Datadog Code Security
Try this rule and analyze your code with Datadog Code Security
How to use this rule
1
2
rulesets:- apex-security # Rules to enforce Apex security.
Create a static-analysis.datadog.yml with the content above at the root of your repository
Use our free IDE Plugins or add Code Security scans to your CI pipelines