二阶 SOQL SOSL 注入 SFDC
Second Order SOQL SOSL Injection SFDC
我在 Checkmarx 中遇到错误。
Method abortJob
at line 209 of XXX/classes/Monitoring.cls
gets user input
from the select
element.
This element’s value then flows through the code without being properly sanitized or validated, and is eventually used in a database query in method jobAbortRem
at line 209 of XXX/classes/Monitoring.cls
.
This may enable an
SOQL Injection attack.
Source Destination
File XXXX/classes/Monitoring.cls XXXX/classes/Monitoring.cls
Line 212 217
Object select select
public static void abortJob() //line no. 209
{
list<CronTrigger> detailId=[select id FROM CronTrigger
where (CronJobDetail.Name='myJobName') AND NextFireTime = null]; //line 212
if (detailId.size() > 0)
{
Id jobId = [SELECT Id from CronTrigger WHERE id = :detailId].get(0).Id; //and line 217
System.abortJob(jobId);
Monitoring.scheduleJob();
}
}
帮我看看我怎样才能通过 Checkmarx 审核。
谢谢
使用 escapeSingleQuotes 方法清理 detailId 的每个元素(我建议重命名这个)集合
public static void abortJob() {
list<CronTrigger> detailId=[select id FROM CronTrigger where (CronJobDetail.Name='myJobName' ) AND NextFireTime =null];
Id jobId ;
for (CronTrigger currentCron : detailId) {
jobId = String.escapeSingleQuotes(currentCron.Id);
}
if (jobId !=null) {
System.abortJob(jobId);
Monitoring.scheduleJob();
}
}
这是有用的 Salesforce Secure Coding 参考资料
您可能还想尝试这种类型的循环来处理查询结果的每一项
https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/langCon_apex_loops_for_SOQL.htm
我在 Checkmarx 中遇到错误。
Method
abortJob
at line 209 ofXXX/classes/Monitoring.cls
gets user input from theselect
element.
This element’s value then flows through the code without being properly sanitized or validated, and is eventually used in a database query in methodjobAbortRem
at line 209 ofXXX/classes/Monitoring.cls
.
This may enable an SOQL Injection attack.
Source Destination
File XXXX/classes/Monitoring.cls XXXX/classes/Monitoring.cls
Line 212 217
Object select select
public static void abortJob() //line no. 209
{
list<CronTrigger> detailId=[select id FROM CronTrigger
where (CronJobDetail.Name='myJobName') AND NextFireTime = null]; //line 212
if (detailId.size() > 0)
{
Id jobId = [SELECT Id from CronTrigger WHERE id = :detailId].get(0).Id; //and line 217
System.abortJob(jobId);
Monitoring.scheduleJob();
}
}
帮我看看我怎样才能通过 Checkmarx 审核。
谢谢
使用 escapeSingleQuotes 方法清理 detailId 的每个元素(我建议重命名这个)集合
public static void abortJob() {
list<CronTrigger> detailId=[select id FROM CronTrigger where (CronJobDetail.Name='myJobName' ) AND NextFireTime =null];
Id jobId ;
for (CronTrigger currentCron : detailId) {
jobId = String.escapeSingleQuotes(currentCron.Id);
}
if (jobId !=null) {
System.abortJob(jobId);
Monitoring.scheduleJob();
}
}
这是有用的 Salesforce Secure Coding 参考资料
您可能还想尝试这种类型的循环来处理查询结果的每一项 https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/langCon_apex_loops_for_SOQL.htm