Tuesday, 21 April 2020

SOQL Injection Best Practice

SOQL Injection :
SOQL Injection takes the user inputs for the values used in dynamic queries. 

Risk :
Always risk malicious users can send different values or commands to fetch their expected data & Crash the data /Update the data.

Preventing Steps:
1.Salesforce platform level already taken care and provided only SOQL queries, no update / delete. This reduces the risk to some extent compare to other query platforms.
2. But still with SOQL queries also has the risk, So it is very much important to validate the provided input to avoid SOQL Injection Vulnerability.
·       Always best practice to write static queries with bind variables 
·       If needed to use the dynamic queries based on the requirement then must use the “String.escapeSingleQuotes” to the passing values

Ex:
Different Scenario, what could be the fix to avoid the SOQL Injection Vulnerability?
Whitelisting to fix this :

//In case fetching the field names & object names from other source metadata /label/etc
String Field1;
String Field2;
String objName;
String accId = ‘xxxxxxxx’; // Account Id to pass
String strQuery;

if(Field1!=NULL && Field2!=NULL && objName!=NULL )
                {
                    strQuery = 'SELECT ' +  Field1+','+ Field2+' ' + ' FROM '+ objName +
                        ‘ WHERE Id = \''+ String.escapeSingleQuotes(accId) + '\'' +' AND '+' '+ Field2+' '+'!=0' ; 
                }

Fix :

//Compare with the exact names instead of !=NULL

if(Field1 == ‘Name’ && Field2 == ‘AccountNumber’  && objName == ‘Account’ )             
  {
                    strQuery = 'SELECT ' +  Field1+','+ Field2+' ' + ' FROM '+ objName +
                        ‘ WHERE Id = \''+ String.escapeSingleQuotes(accId) + '\'' +' AND '+' '+ Field2+' '+'!=0' ; 
                }