Skip to content

Commit 92920fc

Browse files
thomas-bartlettthomas-bartlett
committed
Add SOQL/SOSL injection guidance to differentiate from SQL
1 parent 9ac1e43 commit 92920fc

File tree

2 files changed

+13
-1
lines changed

2 files changed

+13
-1
lines changed

skills/software-security/rules/codeguard-0-input-validation-injection.md

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
---
2-
description: Input validation and injection defense (SQL/LDAP/OS), parameterization, prototype pollution
2+
description: Input validation and injection defense (SQL/SOQL/LDAP/OS), parameterization, prototype pollution
33
languages:
4+
- apex
45
- c
56
- go
67
- html
@@ -49,6 +50,16 @@ pstmt.setString( 1, custname);
4950
ResultSet results = pstmt.executeQuery( );
5051
```
5152

53+
### SOQL/SOSL Injection (Salesforce)
54+
55+
SOQL and SOSL are query/search languages (no SQL-style DDL/DML). Data changes are performed via Apex DML or Database methods. Note: SOQL can lock rows via `FOR UPDATE`.
56+
57+
- Primary risk: data exfiltration by bypassing intended query filters/business logic; impact is amplified when Apex runs with elevated access (system mode) or when CRUD/FLS aren't enforced.
58+
- Second-order risk (conditional): if queried records are passed to DML, injection can broaden the record set and cause unintended mass updates/deletes.
59+
- Prefer static SOQL/SOSL with bind variables: `[SELECT Id FROM Account WHERE Name = :userInput]` or `FIND :term`.
60+
- For dynamic SOQL, use `Database.queryWithBinds()`; for dynamic SOSL, use `Search.query()`. Allowlist any dynamic identifiers. If concatenation is unavoidable, escape string values with `String.escapeSingleQuotes()`.
61+
- Enforce CRUD/FLS with `WITH USER_MODE` or `WITH SECURITY_ENFORCED` (don't combine both). Enforce record sharing with `with sharing` or user-mode operations. Use `Security.stripInaccessible()` before DML.
62+
5263
### LDAP Injection Prevention
5364
- Always apply context‑appropriate escaping:
5465
- DN escaping for `\ # + < > , ; " =` and leading/trailing spaces

src/language_mappings.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@
99

1010
# Master mapping of languages to file extensions
1111
LANGUAGE_TO_EXTENSIONS = {
12+
"apex": [".cls", ".trigger"],
1213
"python": [".py", ".pyx", ".pyi"],
1314
"javascript": [".js", ".jsx", ".mjs"],
1415
"typescript": [".ts", ".tsx"],

0 commit comments

Comments
 (0)