[apex] ApexCRUDViolation: Recognize User Mode in SOQL + DML

[rsoesemann]

Affects PMD Version:

Rule: ApexCRUDViolation

Description:
With the upcoming Winter '23 (API Version 56) Salesforce is going to add more native capabilities to enforce CRUD and FLS security in SOQL queries and DML statements as described here https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_classes_enforce_usermode.htm.

Currently, the usage of such new features is ignored by PMD and marked as a CRUD Violation. Therefor the rule needs to be extended to recognize and handle them correctly.

Code Sample demonstrating the issue:

public class UserMode {
	public void coverAllCasesWithTest() {
                // SOQL Queries cases
                
                Contact c;
                // Should be flagged a critical issue
                c = [SELECT Name FROM Contact];
                // Should be ignored
		c = [SELECT Name FROM Contact WITH USER_MODE];
                // Should be at best a warning because it ignores CRUD but explicitly
		c = [SELECT Name FROM Contact WITH SYSTEM_MODE];

                // DML cases

                // Should be flagged a critical issue
               insert contact;

                // Should be ignored
               insert as user contact;

                // Should be at best a warning because it ignores CRUD but explicitly
		insert as system contact;

               // ...and for ALL other occurrences of System.AccessLevel
	}
}

This issue should cover all cases with the optional accessLevel parameter. See Dynamic SOQL.
Database.getQueryLocator methods
Search.query methods
Database DML methods (insert, update, upsert, merge, delete, undelete, and convertLead)
Includes the *Immediate and *Async methods, such as insertImmediate and deleteAsync.

This issuers should be easy to contribute as we can just look at how the related earlier enhancements were done: #2210

[Tarush-Singh35]

@rsoesemann I would like to contribute to this issue can you assign this issue to me?

[rsoesemann]

@adangel was faster ;-)

Welcome @Tarush-Singh35. Thanks for your willingness to contribute to this very relevant change request.
Maybe you can join force with @rbklaassen from within Salesforce who also wanted to take this.

[Tarush-Singh35]

yeah sure, I am getting started @rsoesemann we can work something out together. how can we connect @rbklaassen please let me know

[Tarush-Singh35]

@rbklaassen I am getting started with the issue if you want to join do ping me.

Thanks & Regards

[rbklaassen]

Hi @Tarush-Singh35 , go ahead and start on this. I've been quite busy last week and preparing a go-live at customer this week, so I don't think I can help out this or next week. I'll check in after that!

[rbklaassen]

Also, how do you prefer to connect @Tarush-Singh35 ?

[Tarush-Singh35]

@rbklaassen through slack would be great

[rbklaassen]

I'm on slack with rklaassen@salesforce.com @Tarush-Singh35

[Tarush-Singh35]

I'm on slack with rklaassen@salesforce.com @Tarush-Singh35

yeah will connect with you through slack

[rsoesemann]

Any progress here,guys?

[rbklaassen]

Sorry, not yet. Have had COVID and a pretty busy schedule at customer.

[Tarush-Singh35]

I made some progress but I had an operation so I was on rest I will raise the PR soon also @rbklaassen sorry for not connecting with you

[Tarush-Singh35]

@rbklaassen you ready to contribute?

[rbklaassen]

Yes, I can do some work on this tomorrow. Do you want to collaborate tomorrow @Tarush-Singh35 ?

[Tarush-Singh35]

Yeah @rbklaassen lets do this

[rbklaassen]

You need to connect with me through slack, I don't have enough details to connect to you @Tarush-Singh35

[Tarush-Singh35]

You need to connect with me through slack, I don't have enough details to connect to you @Tarush-Singh35

I will create a workspace and I will ask you to join it

[Tarush-Singh35]

Added you @rbklaassen in Slack

[rsoesemann]

@rbklaassen and @Tarush-Singh35 any progress here? Or do you have any blockers I can help with?

[rbklaassen]

Hi @rsoesemann, today we had a meeting together and discussed the way forward. I came to the conclusion that I miss the Java knowledge to really work on the code, but I can be the support-desk for @Tarush-Singh35 as I know Apex very good. Also I will be able to test his solution when needed on a local project for instance.

[Tarush-Singh35]

Yeah I am formulating a solution I think so I will be able to make a pull request soon @rsoesemann and @rbklaassen are mentoring me in the apex

[Tarush-Singh35]

@rsoesemann @rbklaassen i need help to understand the issue in my PR can you guys help me out

[rsoesemann]

@Tarush-Singh35 I see two comments from @adangel which both make sense to me:

1. Explicit SYSTEM Mode should not detect an Issue. It's ok bahviour
2. Your code https://github.com/pmd/pmd/pull/4244/files#diff-32e0573a4d25115d3334e8f69cd4db0628e035eaa3831a90fc5f00a0e4e272f1R668 changes the logic also for other cases that relate to SECURITY ENFORCED. That's most probably the reason why existing test fail. Please run all tests before you submit a PR.

[adangel]

@rsoesemann Be aware, that the rule currently doesn't support query: see #2628 - so I didn't add this either.

Also, the currently available Jorje library (last updated in Feb. 2022) doesn't support the syntax insert as user new Contact(LastName='foo'). It fails with the following exception:

Caused by: apex.jorje.services.exception.ParseException: Syntax(error = UnexpectedToken(loc = (10, 16, 53, 55), token = 'as'))

There doesn't seem to be a new version available yet: https://github.com/forcedotcom/salesforcedx-vscode/commits/develop/packages/salesforcedx-vscode-apex/out/apex-jorje-lsp.jar

Apart from these two points, the PR #4244 fixes this issues.