Security Review - False Positive for SOQL Injection - Configuration Data (Input only by System Admin User)

No this is not a false positive and your app can fail Salesforce security review process due to this!

Since this is a user input there are chances that users can put in a SOQL that can have a security flaw!

It's always recommended you put enough guardrails and security checks in your code.

I would make sure to adopt techniques such as character replace or block listing to secure the code.

Read through all the techniques explained here to make sure you have sufficient validations in your code or have a UI that's less free text and more of a picker so user does not enter something that can cause issue.


Mohith is correct that this isn't a simple "false positive" and you do need to engineer the use of the setting/property appropriately. Since this is actually looking to provide a filter, and thus is providing content for an SOQL (or SOSL) WHERE clause, this needs to be handled in a different way to handling security concerns for user inputs that are themselves inserted as values.

Based on our own experiences doing much the same and passing security review:

  • Always insert the filter expression into the query by wrapping it in parentheses. This has several benefits:
    • If you have other WHERE clause terms that are always applied, the inserted filter expression will be applied with appropriate precedence in comparison, regardless of how it is internally structured
    • Any attempt to use other keywords, such as GROUP BY or LIMIT in the filter expression, will result in syntax errors rather than exposing a vector for security circumvention
  • Explicitly comment the absence of use of single quote escaping as reasonable, and not a security issue, given that the filter is not a value but instead one or more WHERE clause terms.

It should be noted that, since you have used parentheses, you can be certain that only an entirely balanced WHERE clause snippet will work. Even if someone tried to inject inappropriate terms, such as ORDER BY, into the snippet this will not work; there would be an unbalanced number of parentheses in the query and the query will not be executed or these keywords would be embedded within the WHERE which is not legal SOQL/SOSL.

Tags:

False Positive

Dynamic Soql

Security Review

Lightning Web Components

Soql Injection

Related

How to see encrypted field in System mode? How update Managed Packages (2GP) if one of the Apex classes is scheduled Apex When did PicklistEntry label become null? If I Use a Loan Pattern is Salesforce smart enough to do a SOQL for loop? Can an LWC component get its own name? Permission set is deployed with unlocked package, but is missing permission. What could be the reason? Why is SFDX deploy throwing a false warning/error regarding forceignore v2 and double asterisk wildcard? (**\.*) Custom Setting proxy class, how to make its operation transparent outside of tests? Winter'21 Release - BEM Notation Change Can Apex static values be used to safely communicate between executions of process builder? Test is failing while creating package, but passes in all other cases Externally hosted Javascript is unable to access Visualforce page

Recent Posts