pmd-apex/src/main/resources/rulesets/apex/security.xml

<?xml version="1.0"?>

<ruleset name="Security" xmlns="http://pmd.sourceforge.net/ruleset/2.0.0"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://pmd.sourceforge.net/ruleset/2.0.0 http://pmd.sourceforge.net/ruleset_2_0_0.xsd">
	<description>
        These rules deal with different security problems that can occur within Apex.
    </description>

	<rule name="ApexSharingViolations" since="5.5.3"
		message="Apex classes should declare a sharing model if DML or SOQL/SOSL is used"
		class="net.sourceforge.pmd.lang.apex.rule.security.ApexSharingViolationsRule"
		externalInfoUrl="${pmd.website.baseurl}/rules/apex/security.html#ApexSharingViolations">
		<description>
            Avoid Apex classes declared with no explicit sharing mode if DML methods are used.
        </description>
		<priority>3</priority>
		<example>
            <![CDATA[
public class without sharing Foo {
// DML operation here
}
    ]]>
        </example>
	</rule>

	<rule name="ApexOpenRedirect" since="5.5.3"
		message="Apex classes should safely redirect to a known location"
		class="net.sourceforge.pmd.lang.apex.rule.security.ApexOpenRedirectRule"
		externalInfoUrl="${pmd.website.baseurl}/rules/apex/security.html#ApexOpenRedirect">
		<description>
            Avoid Apex controllers using PageReference to redirect to an unknown location
        </description>
		<priority>3</priority>
		<example>
            <![CDATA[
public class without sharing Foo {
	String unsafeLocation = ApexPage.getCurrentPage().getParameters.get('url_param');
    PageReference page() {
       return new PageReference(unsafeLocation);
    }
}
    ]]>
        </example>
	</rule>


	<rule name="ApexInsecureEndpoint" since="5.5.3"
		message="Apex callouts should use encrypted communication channels"
		class="net.sourceforge.pmd.lang.apex.rule.security.ApexInsecureEndpointRule"
		externalInfoUrl="${pmd.website.baseurl}/rules/apex/security.html#ApexInsecureEndpoint">
		<description>
            Apex callouts should use encrypted communication channels
        </description>
		<priority>3</priority>
		<example>
            <![CDATA[
public class without sharing Foo {
    void foo() {
		HttpRequest req = new HttpRequest();
		req.setEndpoint('http://localhost:com');
    }
}
    ]]>
        </example>
	</rule>

	<rule name="ApexXSSFromURLParam" since="5.5.3"
		message="Apex classes should escape/sanitize Strings obtained from URL parameters"
		class="net.sourceforge.pmd.lang.apex.rule.security.ApexXSSFromURLParamRule"
		externalInfoUrl="${pmd.website.baseurl}/rules/apex/security.html#ApexXSSFromURLParam">
		<description>
            Apex classes should escape/sanitize Strings obtained from URL parameters
        </description>
		<priority>3</priority>
		<example>
            <![CDATA[
public class without sharing Foo {
	String unescapedstring = ApexPage.getCurrentPage().getParameters.get('url_param');
	String usedLater = unescapedstring;
}
    ]]>
        </example>
	</rule>


	<rule name="ApexXSSFromEscapeFalse" since="5.5.3"
	message="Apex classes should escape Strings in error messages"
	class="net.sourceforge.pmd.lang.apex.rule.security.ApexXSSFromEscapeFalseRule"
	externalInfoUrl="${pmd.website.baseurl}/rules/apex/security.html#ApexXSSFromEscapeFalse">
		<description>
            Apex classes should escape Strings in error messages
        </description>
		<priority>3</priority>
		<example>
            <![CDATA[
public class without sharing Foo {
	Trigger.new[0].addError(vulnerableHTMLGoesHere, false);
}
    ]]>
        </example>
	</rule>

	<rule name="ApexBadCrypto" since="5.5.3"
		message="Apex classes should use random IV/key"
		class="net.sourceforge.pmd.lang.apex.rule.security.ApexBadCryptoRule"
		externalInfoUrl="${pmd.website.baseurl}/rules/apex/security.html#ApexBadCrypto">
		<description>
            Apex classes should use random IV/key
        </description>
		<priority>3</priority>
		<example>
            <![CDATA[
public class without sharing Foo {
	Blob hardCodedIV = Blob.valueOf('Example of IV123');
	Blob key = Crypto.generateAesKey(128);
	Blob data = Blob.valueOf('Data to be encrypted');
	Blob encrypted = Crypto.encrypt('AES128', key, hardCodedIV, data);
}
    ]]>
        </example>
	</rule>


	<rule name="ApexCSRF" since="5.5.3"
		message="Avoid making DML operations in Apex class constructor/init method"
		class="net.sourceforge.pmd.lang.apex.rule.security.ApexCSRFRule"
		externalInfoUrl="${pmd.website.baseurl}/rules/apex/security.html#ApexCSRF">
		<description>
            Avoid DML actions in Apex class constructor/init method without CSRF protection
        </description>
		<priority>3</priority>
		<example>
            <![CDATA[
public class Foo {
	public init() {
		insert data;
	}

	public Foo() {
		insert data;
	}
}
    ]]>
        </example>
	</rule>

	<rule name="ApexSOQLInjection" since="5.5.3"
		message="Avoid untrusted/unescaped variables in DML query"
		class="net.sourceforge.pmd.lang.apex.rule.security.ApexSOQLInjectionRule"
		externalInfoUrl="${pmd.website.baseurl}/rules/apex/security.html#ApexSOQLInjection">
		<description>
            Avoid merging untrusted/unescaped variables in DML operations 
        </description>
		<priority>3</priority>
		<example>
            <![CDATA[
public class Foo {
	public void test1(String t1) {
		Database.query('SELECT Id FROM Account' + t1);		
	}
}
    ]]>
        </example>
	</rule>
	
	<rule name="ApexCRUDViolation" since="5.5.3"
		message="Validate CRUD permission before SOQL/DML operation"
		class="net.sourceforge.pmd.lang.apex.rule.security.ApexCRUDViolationRule"
		externalInfoUrl="${pmd.website.baseurl}/rules/apex/security.html#ApexCRUDViolationRule">
		<description>
            Validate CRUD permission before SOQL/SOSL/DML operation
        </description>
		<priority>3</priority>
		<example>
            <![CDATA[
public class Foo {
	public Contact foo(String status, String ID) {
		Contact c = [SELECT Status__c FROM Contact WHERE Id=:ID];
		if (!Schema.sObjectType.Contact.fields.Name.isUpdateable()){
      		return null;
    	}
    	c.Status__c = status;
    	update c;
    	return c;
	}
}
    ]]>
        </example>
	</rule>

</ruleset>