Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[apex] False positive for ApexXSSFromURLParam #2782

Open
ankushsomani09 opened this issue Sep 16, 2020 · 2 comments
Open

[apex] False positive for ApexXSSFromURLParam #2782

ankushsomani09 opened this issue Sep 16, 2020 · 2 comments
Labels
a:false-positive PMD flags a piece of code that is not problematic

Comments

@ankushsomani09
Copy link

ankushsomani09 commented Sep 16, 2020
edited by jsotuyod

Affects PMD Version:
6.24+
7.0.0

Rule: ApexXSSFromURLParam

Rule name
https://pmd.github.io/pmd-6.24.0/pmd_rules_apex_security.html#apexxssfromurlparam

Description: False positive, even String.escapeSingleQUotes is being used on url parameter input
Apex method link to prevent XSS : https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_methods_system_string.htm#apex_System_String_escapeSingleQuotes
Code Sample demonstrating the issue:

String IdAccount = String.escapeSingleQuotes(Apexpages.currentPage().getParameters().get('Id'));  
-------------OR-----
String IdAccount = Apexpages.currentPage().getParameters().get('Id');  
IdAccount = String.escapeSingleQuotes(IdAccount); // Here on this lines gives exception

Expected outcome:

  • Does PMD report a violation, where there shouldn't be one? -> false-positive

Running PMD through: [Ant]
@ankushsomani09 ankushsomani09 added the a:bug PMD crashes or fails to analyse a file. label Sep 16, 2020
@adangel adangel changed the title False positive for ApexXSSFromURLParam [apex] False positive for ApexXSSFromURLParam Sep 17, 2020
@adangel adangel added a:false-positive PMD flags a piece of code that is not problematic and removed a:bug PMD crashes or fails to analyse a file. labels Sep 17, 2020
@dschach
Copy link

dschach commented Feb 15, 2022

String IdAccount = String.escapeSingleQuotes(Apexpages.currentPage().getParameters().get('Id')); <-- I have an error on this line. Running ApexPMD in VSCode (0.5.8, so PMD 6.41)

@nwcm
Copy link
Contributor

nwcm commented May 17, 2023
edited

This rule should likely be deprecated.

Apexpages.currentPage().getParameters() returns a Map<String, String>

So requiring casting to (String) passes this rule, even though the return of getParameters().get('foo') is a String

@jsotuyod jsotuyod added the needs:pmd7-revalidation The issue hasn't yet been retested vs PMD 7 and may be stale label Mar 17, 2024
@jsotuyod jsotuyod removed the needs:pmd7-revalidation The issue hasn't yet been retested vs PMD 7 and may be stale label Apr 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
a:false-positive PMD flags a piece of code that is not problematic
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@dschach @jsotuyod @adangel @ankushsomani09 @nwcm